Automatically generating rules for connection security

US 8,056,124 B2
Filed: 07/15/2005
Issued: 11/08/2011
Est. Priority Date: 07/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method performed by a processor executing computer-executable instructions stored in a memory of a computer system configured to create a security policy for a firewall policy and a connection policy, the executed method further comprising:

providing a user interface through which a user can specify security rules relating to the firewall policy and the connection policy; and

automatically generating by the processor firewall rules and connection rules from the specified security rules, the security rules being higher level rules than the firewall rules and the connection rules, the generated firewall rules for input into a firewall engine and specifying addresses of computing devices that are authorized to send data to the computer system and the generated connection rules for input into an internet protocol security engine and specifying an authentication protocol for authenticating a computing device that sends data to the computer system and a confidentiality protocol and an integrity protocol for ensuring the confidentiality and integrity of data sent to the computer system wherein a connection rule specifies behavior of an IP security protocol and specifies key exchange, data protection, and authentication associated with a connection the connection rules being generated by, for each security rule,when a local address of the security rule is unspecified, setting the local address of the connection rule to specify the computer system;

when a remote address of the security rule is unspecified, setting the remote address of the connection rule to specify any computer system;

when remote users are specified in a remote user authorization list of the security rule, terminating the generating of the connection rule if user authentication is not specified in a default authentication suite; and

determining whether a matching connection rule has already been created;

after determining that a matching connection rule has already been created, setting the authentication and crypto suites of the connection rule based on the authentication and crypto suites of the matching connection security rule; and

after determining that a matching connection security rule has not already been created, setting the authentication and crypto suites of the connection security rule to default authentication and crypto suites.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules.

37 Citations

View as Search Results

16 Claims

1. A method performed by a processor executing computer-executable instructions stored in a memory of a computer system configured to create a security policy for a firewall policy and a connection policy, the executed method further comprising:
- providing a user interface through which a user can specify security rules relating to the firewall policy and the connection policy; and
  
  automatically generating by the processor firewall rules and connection rules from the specified security rules, the security rules being higher level rules than the firewall rules and the connection rules, the generated firewall rules for input into a firewall engine and specifying addresses of computing devices that are authorized to send data to the computer system and the generated connection rules for input into an internet protocol security engine and specifying an authentication protocol for authenticating a computing device that sends data to the computer system and a confidentiality protocol and an integrity protocol for ensuring the confidentiality and integrity of data sent to the computer system wherein a connection rule specifies behavior of an IP security protocol and specifies key exchange, data protection, and authentication associated with a connection the connection rules being generated by, for each security rule,when a local address of the security rule is unspecified, setting the local address of the connection rule to specify the computer system;
  
  when a remote address of the security rule is unspecified, setting the remote address of the connection rule to specify any computer system;
  
  when remote users are specified in a remote user authorization list of the security rule, terminating the generating of the connection rule if user authentication is not specified in a default authentication suite; and
  
  determining whether a matching connection rule has already been created;
  
  after determining that a matching connection rule has already been created, setting the authentication and crypto suites of the connection rule based on the authentication and crypto suites of the matching connection security rule; and
  
  after determining that a matching connection security rule has not already been created, setting the authentication and crypto suites of the connection security rule to default authentication and crypto suites.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the data protection specifies encryption and integrity techniques.
  - 3. The method of claim 1 wherein a security rule specifies a condition and an action to take when the condition is satisfied, and authentication and encryption behavior for data that satisfies the condition.
  - 4. The method of claim 1 wherein a firewall rule includes a condition and action to take when the condition is satisfied and the condition being based on connection security information.
  - 5. The method of claim 1 wherein a user through the user interface can specify security suites for main mode and quick mode of an IP security protocol.
  - 6. The method of claim 5 wherein the security suites for the main mode include an authentication method and a crypto suite.
  - 7. The method of claim 5 wherein the security suites for quick mode include a crypto suite.
  - 8. The method of claim 5 wherein a connection rule is automatically generated based on default security suites.

9. A computer-readable storage device containing computer-executable instructions that when executed by a processor perform a method of controlling a computer system to generate a connection rule based on a security rule that includes local and remote address information and conditions indicating when the security rule applies, the executed method comprising:
- establishing endpoint information for the connection rule based on local and remote address information of the security rule bywhen a local address of the security rule is unspecified, setting the local address of the connection rule to specify the computer system;
  
  when a remote address of the security rule is unspecified, setting the remote address of the connection rule to specify any computer system;
  
  when remote users are specified in a remote user authorization list of the security rule, terminating the generating of the connection rule if user authentication is not specified in a default authentication suite;
  
  establishing an action for the connection rule based on whether conditions of the security rule can be copied to the connection rule bydetermining whether the conditions can be copied and the security rule applies to both inbound and outbound traffic;
  
  when it is determined that the conditions can be copied and the security rule applies to both inbound and outbound traffic, setting the action to secure to indicate that data matching the established endpoint information is to be transmitted only when the data can be transmitted securely; and
  
  when it is determined that either the conditions cannot be copied or the security rule does not apply to both inbound and outbound traffic, setting the action to DMZ indicating that if data matching the established endpoint information cannot be sent securely, the data is sent in the clear; and
  
  establishing connection security suites for the connection rule based on default security suites by;
  
  determining whether a matching connection rule has already been created;
  
  after determining that a matching connection rule has already been created, setting the authentication and crypto suites of the connection rule based on the authentication and crypto suites of the matching connection security rule; and
  
  after determining that a matching connection security rule has not already been created, setting the authentication and crypto suites of the connection security rule to default authentication and crypto suites.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computer-readable storage device of claim 9 wherein the default security suites include main mode and quick mode an authentication method and a crypto suite.
  - 11. The computer-readable storage device of claim 9 wherein the establishing of security suites is based on security suites already established for a connection rule with matching endpoint information.
  - 12. The computer-readable storage device of claim 9 wherein when all conditions of the security rule can be copied, an action indicates to fail when a secure connection cannot be established.
  - 13. The computer-readable storage device of claim 9 wherein when not all the conditions of the security rule can be copied, establishing an action that indicates to establish a non-secure connection when a secure connection cannot be established.

14. A computer-readable storage device containing computer-executable instructions that when executed by a processor perform a method of controlling a computer system to create a security policy relating to a firewall policy and a connection policy, the executed method comprising:
- providing a user interface through which a user can specify security rules relating to firewall policy and connection policy; and
  
  automatically generating firewall rules and connection rules from the specified security rules, the generated firewall rules specifying addresses of computing devices that are authorized to send data to the computer system and the generated connection rules relating to an authentication protocol for authenticating a computing device that sends data to the computer system and a confidentiality protocol and an integrity protocol for ensuring the confidentiality and integrity of data sent to the computer system, the connection rules being generated by, for each security rule,when a local address of the security rule is unspecified, setting the local address of the connection rule to specify the computer system;
  
  when a remote address of the security rule is unspecified, setting the remote address of the connection rule to specify any computer system;
  
  when remote users are specified in a remote user authorization list of the security rule, terminating the generating of the connection rule if user authentication is not specified in a default authentication suite; and
  
  determining whether a matching connection rule has already been created;
  
  after determining that a matching connection rule has already been created, setting the authentication and crypto suites of the connection rule based on the authentication and crypto suites of the matching connection security rule; and
  
  after determining that a matching connection security rule has not already been created, setting the authentication and crypto suites of the connection security rule to default authentication and crypto suites.
- View Dependent Claims (15, 16)
- - 15. The computer-readable storage device of claim 14 wherein a connection rule specifies behavior of an IP security protocol.
  - 16. The computer-readable storage device of claim 14 wherein a security rule specifies a condition and an action to take when the condition is satisfied, and authentication and encryption behavior for data that satisfies the condition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Yariv, Eran, Carbaugh, Ian M., Bassett, Charles D., Koppolu, Lokesh Srinivas, Wahlert, Sarah A., Noy, Maksim, Bahl, Pradeep
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
LOUIE, OSCAR A

Application Number

US11/183,317
Publication Number

US 20070016945A1
Time in Patent Office

2,307 Days
Field of Search

726 1- 4, 726/11, 726/12, 726/16, 726/17, 726/21, 726/26, 726/27, 713/150, 713/151, 713/153, 713/154, 380/59, 380/255
US Class Current

726/11
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/20 for managing network securi...

Automatically generating rules for connection security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Automatically generating rules for connection security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links