Automatically generating rules for connection security
First Claim
1. A method performed by a processor executing computer-executable instructions stored in a memory of a computer system configured to create a security policy for a firewall policy and a connection policy, the executed method further comprising:
- providing a user interface through which a user can specify security rules relating to the firewall policy and the connection policy; and
automatically generating by the processor firewall rules and connection rules from the specified security rules, the security rules being higher level rules than the firewall rules and the connection rules, the generated firewall rules for input into a firewall engine and specifying addresses of computing devices that are authorized to send data to the computer system and the generated connection rules for input into an internet protocol security engine and specifying an authentication protocol for authenticating a computing device that sends data to the computer system and a confidentiality protocol and an integrity protocol for ensuring the confidentiality and integrity of data sent to the computer system wherein a connection rule specifies behavior of an IP security protocol and specifies key exchange, data protection, and authentication associated with a connection the connection rules being generated by, for each security rule,when a local address of the security rule is unspecified, setting the local address of the connection rule to specify the computer system;
when a remote address of the security rule is unspecified, setting the remote address of the connection rule to specify any computer system;
when remote users are specified in a remote user authorization list of the security rule, terminating the generating of the connection rule if user authentication is not specified in a default authentication suite; and
determining whether a matching connection rule has already been created;
after determining that a matching connection rule has already been created, setting the authentication and crypto suites of the connection rule based on the authentication and crypto suites of the matching connection security rule; and
after determining that a matching connection security rule has not already been created, setting the authentication and crypto suites of the connection security rule to default authentication and crypto suites.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules.
37 Citations
16 Claims
-
1. A method performed by a processor executing computer-executable instructions stored in a memory of a computer system configured to create a security policy for a firewall policy and a connection policy, the executed method further comprising:
-
providing a user interface through which a user can specify security rules relating to the firewall policy and the connection policy; and automatically generating by the processor firewall rules and connection rules from the specified security rules, the security rules being higher level rules than the firewall rules and the connection rules, the generated firewall rules for input into a firewall engine and specifying addresses of computing devices that are authorized to send data to the computer system and the generated connection rules for input into an internet protocol security engine and specifying an authentication protocol for authenticating a computing device that sends data to the computer system and a confidentiality protocol and an integrity protocol for ensuring the confidentiality and integrity of data sent to the computer system wherein a connection rule specifies behavior of an IP security protocol and specifies key exchange, data protection, and authentication associated with a connection the connection rules being generated by, for each security rule, when a local address of the security rule is unspecified, setting the local address of the connection rule to specify the computer system; when a remote address of the security rule is unspecified, setting the remote address of the connection rule to specify any computer system; when remote users are specified in a remote user authorization list of the security rule, terminating the generating of the connection rule if user authentication is not specified in a default authentication suite; and determining whether a matching connection rule has already been created; after determining that a matching connection rule has already been created, setting the authentication and crypto suites of the connection rule based on the authentication and crypto suites of the matching connection security rule; and after determining that a matching connection security rule has not already been created, setting the authentication and crypto suites of the connection security rule to default authentication and crypto suites. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable storage device containing computer-executable instructions that when executed by a processor perform a method of controlling a computer system to generate a connection rule based on a security rule that includes local and remote address information and conditions indicating when the security rule applies, the executed method comprising:
-
establishing endpoint information for the connection rule based on local and remote address information of the security rule by when a local address of the security rule is unspecified, setting the local address of the connection rule to specify the computer system; when a remote address of the security rule is unspecified, setting the remote address of the connection rule to specify any computer system; when remote users are specified in a remote user authorization list of the security rule, terminating the generating of the connection rule if user authentication is not specified in a default authentication suite; establishing an action for the connection rule based on whether conditions of the security rule can be copied to the connection rule by determining whether the conditions can be copied and the security rule applies to both inbound and outbound traffic; when it is determined that the conditions can be copied and the security rule applies to both inbound and outbound traffic, setting the action to secure to indicate that data matching the established endpoint information is to be transmitted only when the data can be transmitted securely; and when it is determined that either the conditions cannot be copied or the security rule does not apply to both inbound and outbound traffic, setting the action to DMZ indicating that if data matching the established endpoint information cannot be sent securely, the data is sent in the clear; and establishing connection security suites for the connection rule based on default security suites by; determining whether a matching connection rule has already been created; after determining that a matching connection rule has already been created, setting the authentication and crypto suites of the connection rule based on the authentication and crypto suites of the matching connection security rule; and after determining that a matching connection security rule has not already been created, setting the authentication and crypto suites of the connection security rule to default authentication and crypto suites. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer-readable storage device containing computer-executable instructions that when executed by a processor perform a method of controlling a computer system to create a security policy relating to a firewall policy and a connection policy, the executed method comprising:
-
providing a user interface through which a user can specify security rules relating to firewall policy and connection policy; and automatically generating firewall rules and connection rules from the specified security rules, the generated firewall rules specifying addresses of computing devices that are authorized to send data to the computer system and the generated connection rules relating to an authentication protocol for authenticating a computing device that sends data to the computer system and a confidentiality protocol and an integrity protocol for ensuring the confidentiality and integrity of data sent to the computer system, the connection rules being generated by, for each security rule, when a local address of the security rule is unspecified, setting the local address of the connection rule to specify the computer system; when a remote address of the security rule is unspecified, setting the remote address of the connection rule to specify any computer system; when remote users are specified in a remote user authorization list of the security rule, terminating the generating of the connection rule if user authentication is not specified in a default authentication suite; and determining whether a matching connection rule has already been created; after determining that a matching connection rule has already been created, setting the authentication and crypto suites of the connection rule based on the authentication and crypto suites of the matching connection security rule; and after determining that a matching connection security rule has not already been created, setting the authentication and crypto suites of the connection security rule to default authentication and crypto suites. - View Dependent Claims (15, 16)
-
Specification