Incorporating network connection security levels into firewall rules

US 8,166,534 B2
Filed: 05/18/2007
Issued: 04/24/2012
Est. Priority Date: 05/18/2007
Status: Active Grant

First Claim

Patent Images

1. A method for configuring a firewall for use in a computer system that comprises at least one first device disposed inside the firewall and at least one second device disposed outside the firewall, the method comprising an act of:

(A) obtaining information on a connection security policy regulating connections in the computer system between the at least one first device and the at least one second device, the connection security policy specifying as a constraint at least one connection security level that can be established for connections between the at least one first device and the at least one second device;

(B) configuring the firewall with at least one rule for the firewall that determines at least one filtering function that the firewall performs on communications between the at least one first device and the at least one second device, wherein the at least one rule employs at least one filtering parameter that is based on the at least one connection security level specified as the constraint of the connection security policy regulating connections in the computer system, the at least one filtering parameter not being uniquely related to a connection between the at least one first device and the at least one second device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.

Citations

20 Claims

1. A method for configuring a firewall for use in a computer system that comprises at least one first device disposed inside the firewall and at least one second device disposed outside the firewall, the method comprising an act of:
- (A) obtaining information on a connection security policy regulating connections in the computer system between the at least one first device and the at least one second device, the connection security policy specifying as a constraint at least one connection security level that can be established for connections between the at least one first device and the at least one second device;
  
  (B) configuring the firewall with at least one rule for the firewall that determines at least one filtering function that the firewall performs on communications between the at least one first device and the at least one second device, wherein the at least one rule employs at least one filtering parameter that is based on the at least one connection security level specified as the constraint of the connection security policy regulating connections in the computer system, the at least one filtering parameter not being uniquely related to a connection between the at least one first device and the at least one second device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the at least one filtering parameter blocks communications when no security level is established for the connection between the at least one first device and the at least one second device.
  - 3. The method of claim 1, wherein the at least one filtering parameter relates to whether communications over the connection between the at least one first device and the at least one second device are authenticated.
  - 4. The method of claim 1, wherein the at least one filtering parameter relates to whether integrity checking is performed for communications over the connection between the at least one first device and the at least one second device.
  - 5. The method of claim 1, wherein the at least one filtering parameter relates to whether communications over the connection between the at least one first device and the at least one second device are encrypted.
  - 6. The method of claim 1, wherein the at least one rule for the firewall comprises a plurality of rules comprising at least a first rule and a second rule, wherein the first rule comprises at least two filtering parameters comprising a first filtering parameter and a second filtering parameter, and wherein;
    - when the first and second filtering parameters are met for an evaluated communication between the first and second devices, the first rule results in the evaluated communication being allowed to pass through the firewall;
      
      when the first filtering parameter is met and the second filtering parameter is not met for the evaluated communication, the evaluation of the first rule results in the evaluated communication being further evaluated by the second rule to determine whether to allow the evaluated communication to pass through the firewall; and
      
      when the first filtering parameter is not met for an evaluated communication between the first and second devices, the evaluation of the first rule results in the evaluated communication being blocked by the firewall without further evaluation by the second rule.
  - 7. The method of claim 1, wherein the act (B) is performed by an administrator of the firewall.
  - 8. The method of claim 1, wherein the firewall comprises a configuration interface, and wherein the act (B) is performed by the configuration interface.

9. At least one computer readable storage medium encoded with a plurality of instructions that, when executed, perform a method for use in a computer system that comprises a firewall, at least one first device disposed inside the firewall and at least one second device disposed outside the firewall, the method comprising an act of:
- (A) configuring the firewall with at least one rule for the firewall that determines at least one filtering function that the firewall performs on communications between the at least one first device and the at least one second device, wherein the at least one rule employs at least one filtering parameter that is based on at least one connection security level specified as a constraint of a connection security policy regulating connections in the computer system between the at least one first device and the at least one second device, the at least one filtering parameter not being uniquely limited to any specific connection.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The at least one computer readable storage medium of claim 9, wherein the at least one filtering parameter blocks communications when no security level is established for the connection between the at least one first device and the at least one second device.
  - 11. The at least one computer readable storage medium of claim 9, wherein the at least one filtering parameter relates to whether communications over the connection between the at least one first device and the at least one second device are authenticated.
  - 12. The at least one computer readable storage medium of claim 9, wherein the at least one filtering parameter relates to whether integrity checking is performed for communications over the connection between the at least one first device and the at least one second device.
  - 13. The at least one computer readable storage medium of claim 9, wherein the at least one filtering parameter relates to whether communications over the connection between the at least one first device and the at least one second device are encrypted.
  - 14. The at least one computer readable storage medium of claim 9, wherein the at least one rule for the firewall comprises a plurality of rules comprising at least a first rule and a second rule, wherein the first rule comprises at least two filtering parameters comprising a first filtering parameter and a second filtering parameter, and wherein;
    - when the first and second filtering parameters are met for an evaluated communication between the first and second devices, the first rule results in the evaluated communication being allowed to pass through the firewall;
      
      when the first filtering parameter is met and the second filtering parameter is not met for the evaluated communication, the evaluation of the first rule results in the evaluated communication being further evaluated by the second rule to determine whether to allow the evaluated communication to pass through the firewall; and
      
      when the first filtering parameter is not met for an evaluated communication between the first and second devices, the evaluation of the first rule results in the evaluated communication being blocked by the firewall without further evaluation by the second rule.

15. A device for use in a computer system that comprises a firewall, at least one first device disposed inside the firewall and at least one second device disposed outside the firewall, the device comprising:
- at least one processor programmed toreceive information on at least one connection security level specified as a constraint of a connection security policy regulating connections in the computer system between the at least one first device and the at least one second device, the at least one connection security level being able be established for a connection between the at least one first device and the at least one second device;
  
  based on the information on the at least one connection security level, configure the firewall with at least one rule for the firewall that determines at least one filtering function that the firewall performs on communications between the at least one first device and the at least one second device, wherein the at least one rule employs at least one filtering parameter identifying the at least one connection security level specified as the constraint of the connection security policy, the at least one filtering parameter having at least one value that is not uniquely limited to a connection between a first device of the at least one first device and a second device of the at least one second device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The device of claim 15, wherein the at least one filtering parameter blocks communications when no security level is established for the connection between the at least one first device and the at least one second device.
  - 17. The device of claim 15, wherein the at least one filtering parameter relates to whether communications over the connection between the at least one first device and the at least one second device are authenticated.
  - 18. The device of claim 15, wherein the at least one filtering parameter relates to whether integrity checking is performed for communications over the connection between the at least one first device and the at least one second device.
  - 19. The device of claim 15, wherein the at least one filtering parameter relates to whether communications over the connection between the at least one first device and the at least one second device are encrypted.
  - 20. The device of claim 15, wherein the at least one rule for the firewall comprises a plurality of rules comprising at least a first rule and a second rule, wherein the first rule comprises at least two filtering parameters comprising a first filtering parameter and a second filtering parameter, and wherein;
    - when the first and second filtering parameters are met for an evaluated communication between the first and second devices, the first rule results in the evaluated communication being allowed to pass through the firewall;
      
      when the first filtering parameter is met and the second filtering parameter is not met for the evaluated communication, the evaluation of the first rule results in the evaluated communication being further evaluated by the second rule to determine whether to allow the evaluated communication to pass through the firewall; and
      
      when the first filtering parameter is not met for an evaluated communication between the first and second devices, the evaluation of the first rule results in the evaluated communication being blocked by the firewall without further evaluation by the second rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Yariv, Eran, Diaz Cuellar, Gerardo, Abzarian, David
Primary Examiner(s)
ZIA, SYED

Application Number

US11/804,423
Publication Number

US 20080289027A1
Time in Patent Office

1,803 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/126 the source of the received ...

Incorporating network connection security levels into firewall rules

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Incorporating network connection security levels into firewall rules

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links