Method of configuring a security gateway and system thereof

US 8,490,171 B2
Filed: 07/14/2008
Issued: 07/16/2013
Est. Priority Date: 07/14/2008
Status: Active Grant

First Claim

Patent Images

1. A method of configuring a security gateway by means of a processor operatively coupled to a memory, the method comprising:

a) accommodating in the memory an initial rule-set;

b) obtaining log records of communication events corresponding to the initial rule-set to obtain a sufficient amount of log records;

c) generating, with the processor, a transformation-based rule-set by transforming the obtained log records into respective rules, wherein each obtained log record is transformed into a respective rule with source, destination and service fields corresponding to source, destination and service values in the transformed obtained log record, and wherein an action in the rule is defined as “

Accept”

; and

d) generating an operable rule-set by processing, with the processor, the transformation-based rule-set, whereingenerating the operable rule-set by processing of transformation-based rule-set comprises;

a) identifying and removing duplicate rules among the transformation-based rules, thus giving rise to remaining rules, wherein each remaining rule is provided with an initial hit count characterizing a number of respective duplicated rules before removing; and

b) consolidating the remaining rules by source, destination and service respectively, thus giving rise to consolidated rules, wherein each consolidated rule is provided with a consolidated hit count calculated by summarizing the initial hit counts of the rules consolidated in the respective consolidated rule.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a rule-set generator and a method of automated configuration of a security gateway. The method comprises setting-up an initial rule-set; obtaining log records of communication events corresponding to the initial rule-set so as to obtain a sufficient amount of log records; transforming the obtained log records into respective rules, wherein source, destination and service fields in each rule correspond to source, destination and service values in respective obtained log record, and the action in all rules is defined as “Accept”, thus giving rise to a transformation-based rule-set; and processing the transformation-based rule-set so as to generate an operable rule-set by processing the transformation-based rule-set.

Citations

26 Claims

1. A method of configuring a security gateway by means of a processor operatively coupled to a memory, the method comprising:
- a) accommodating in the memory an initial rule-set;
  
  b) obtaining log records of communication events corresponding to the initial rule-set to obtain a sufficient amount of log records;
  
  c) generating, with the processor, a transformation-based rule-set by transforming the obtained log records into respective rules, wherein each obtained log record is transformed into a respective rule with source, destination and service fields corresponding to source, destination and service values in the transformed obtained log record, and wherein an action in the rule is defined as “
  
  Accept”
  
  ; and
  
  d) generating an operable rule-set by processing, with the processor, the transformation-based rule-set, whereingenerating the operable rule-set by processing of transformation-based rule-set comprises;
  
  a) identifying and removing duplicate rules among the transformation-based rules, thus giving rise to remaining rules, wherein each remaining rule is provided with an initial hit count characterizing a number of respective duplicated rules before removing; and
  
  b) consolidating the remaining rules by source, destination and service respectively, thus giving rise to consolidated rules, wherein each consolidated rule is provided with a consolidated hit count calculated by summarizing the initial hit counts of the rules consolidated in the respective consolidated rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 24)
- - 2. The method of claim 1 wherein the initial rule-set is related to all traffic to be controlled by the security gateway and consists of only one rule, the one rule permitting any traffic between any data network resources.
  - 3. The method of claim 1 wherein the initial rule-set is related to a part of the traffic to be controlled by the security gateway.
  - 4. The method of claim 1 wherein the initial rule-set is integrated with a pre-configured rule-set.
  - 5. The method of claim 4 wherein the integration is provided by adding an “
    - Accept-All-And-Log”
      
      rule as a last rule to the pre-configured rule-set.
  - 6. The method of claim 1 wherein at least part of the obtained log records are generated by the security gateway which is configured to control at least part of traffic in accordance with said initial rule-set.
  - 7. The method of claim 1 wherein at least part of the log records is obtained by sniffing the traffic to be controlled by the security gateway and logging respective communication events.
  - 8. The method of claim 1 wherein the sufficient amount of log records is characterized by achieving a certain threshold.
  - 9. The method of claim 1 wherein the sufficient amount of log records is characterized by terminating a certain substantial collection period.
  - 10. The method of claim 1 wherein the obtained log records are normalized before transforming.
  - 11. The method of claim 1 further comprising:
    - adjusting the operable rule-set in accordance with a policy format used by a certain security gateway vendor.
  - 12. The method of claim 1 further comprising:
    - repeating operations b)-d) while using the generated operable rule-set instead of the initial rule-set so as to generate a refined operable rule-set.
  - 13. The method of claim 1 wherein the consolidated rule-set is further optimized by reordering the rules in accordance with each rule'"'"'s consolidation hit count, wherein more frequent rules are put higher in a rule table.
  - 14. The method of claim 1 wherein the consolidated rule-set is further adjusted according to at least one criterion selected from a group comprising:
    - vulnerability black lists, organizational policies, best practices, recommended white lists, regulations, and standards for security gateways.
  - 15. The method of claim 1 wherein consolidating comprises combining a range of IP addresses of respective sources and/or destinations in a sub-network.
  - 16. The method of claim 15 wherein said range of IP addresses is non-consecutive and combining in a sub-network is provided in accordance with a Subnet Threshold Parameter (STM) defined as a ratio of a largest allowable gap in network IP addresses to a number of addresses in a resulting sub-network.
  - 24. The method of claim 1, wherein generating the operable rule-set by processing the transformation-based rule-set comprises:
    - consolidating at least part of the rules in the transformation-based rule-set by combining a range of IP addresses of at least one of respective sources and destinations in a sub-network, whereinsaid range of IP addresses is non-consecutive and combining in a sub-network is provided in accordance with a Subnet Threshold Parameter (STM) defined as a ratio of a largest allowable gap in network IP addresses to a number of addresses in a resulting sub-network.

17. A rule-set generator comprising:
- a) a first memory configured to accommodate an initial rule-set to be used for configuring a security gateway;
  
  b) a second memory configured to accommodate log records of communication events corresponding to the initial rule-set;
  
  c) a processor operatively coupled to the first repository and the second repository, the processor being configured to;
  
  i) generate a transformation-based rule-set by transforming said accommodated log records into respective rules, wherein each obtained log record is transformed into a respective rule with source, destination and service fields corresponding to source, destination and service values in the transformed log record, and wherein an action in the rule is defined as “
  
  Accept”
  
  ; and
  
  ii) generate an operable rule-set by processing the transformation-based rule-set, whereinthe processor is further configured to generate the operable rule-set by processing the transformation-based rule-set as follows;
  
  a) to identify and remove duplicate rules among the transformation-based rules, thus giving rise to remaining rules, wherein to provide each remaining rule with an initial hit count characterizing a number of respective duplicated rules before removing; and
  
  b) to consolidate the remaining rules by source, destination and service respectively, thus giving rise to consolidated rules, wherein to provide each consolidated rule with a consolidated hit count calculated by summarizing the initial hit counts of the rules consolidated in the respective consolidated rule.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 25)
- - 18. The rule-set generator of claim 17 further comprising:
    - a sniffer operatively coupled to the second memory and capable of (1) capturing network traffic to be controlled by the security gateway and (2) generating respective log records.
  - 19. The rule-set generator of claim 17 wherein the rule-set generator is at least partly integrated with the security gateway.
  - 20. The rule-set generator of claim 17 wherein the initial rule-set is related to all traffic to be controlled by the security gateway and consists of only one rule, the one rule permitting any traffic between any data network resources.
  - 21. The rule-set generator of claim 17 wherein at least part of the log records accommodated in the second memory is generated by the security gateway which is configured to control at least part of traffic in accordance with said initial rule-set.
  - 22. The rule-set generator of claim 17 wherein the consolidation comprises combining a range of IP addresses of respective sources and/or destinations in a sub-network.
  - 23. The rule-set generator of claim 22 wherein said range of IP addresses is non-consecutive and combining in a sub-network is provided in accordance with a Subnet Threshold Parameter (STM) defined as a ratio of a largest allowable gap in network IP addresses to a number of addresses in a resulting sub-network.
  - 25. The rule-set generator of claim 17, wherein the processor is further configured to consolidate at least part of the rules in the transformation-based rule-set by combining a range of IP addresses of at least one of respective sources and destinations in a sub-network, whereinsaid range of IP addresses is non-consecutive and combining in a sub-network is provided in accordance with a Subnet Threshold Parameter (STM) defined as a ratio of a largest allowable gap in network IP addresses to a number of addresses in a resulting sub-network.

26. A computer program product comprising a non-transitory computer readable medium storing computer readable program code for a computer generating a rule-set, the computer program product comprising:
- computer readable program code for causing the computer to accommodate in a memory an initial rule-set;
  
  computer readable program code for causing the computer to obtain log records of communication events corresponding to the initial rule-set so as to obtain a sufficient amount of log records;
  
  computer readable program code for causing the computer to generate a transformation-based rule-set by transforming the obtained log records into respective rules, wherein each obtained log record is transformed into a respective rule with source, destination and service fields corresponding to source, destination and service values in the transformed obtained log record, and wherein an action in the rule is defined as “
  
  Accept”
  
  ; and
  
  computer readable program code for causing the computer to generate an operable rule-set by processing the transformation-based rule-set, whereinthe computer readable program code is further configured to cause the computer to generate the operable rule-set by processing the transformation-based rule-set as follows;
  
  a) to identify and remove duplicate rules among the transformation-based rules, thus giving rise to remaining rules, wherein to provide each remaining rule with an initial hit count characterizing a number of respective duplicated rules before removing; and
  
  b) to consolidate the remaining rules by source, destination and service respectively, thus giving rise to consolidated rules, wherein to provide each consolidated rule with a consolidated hit count calculated by summarizing the initial hit counts of the rules consolidated in the respective consolidated rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
Harrison, Reuven, Persky, Yakov
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US12/172,838
Publication Number

US 20100011433A1
Time in Patent Office

1,828 Days
Field of Search

726/1, 726/11, 726/12, 726/22, 713/153, 713/154, 709/220, 709/238
US Class Current

726/12
CPC Class Codes

H04L 63/0263 Rule management

Method of configuring a security gateway and system thereof

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method of configuring a security gateway and system thereof

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links