Method and apparatus for automatic risk assessment of a firewall configuration

US 8,677,496 B2
Filed: 07/21/2010
Issued: 03/18/2014
Est. Priority Date: 07/15/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method of detecting firewall mis-configurations of a firewall operatively associated with a computer network, the method is comprising the following steps:

receiving a firewall configuration;

algorithmically simulating all potential packet received on an internal model of the firewall;

generating a simulation report that is exhibiting relationships between any potential packet received by the firewall and a corresponding action taken by the firewall in response;

converting the simulation report into a computer searchable file thus enabling detection of firewall mis-configurations;

detecting firewall mis-configurations by searching the computer searchable file for mis-configurations in view of a predefined knowledge base exhibiting risk items associated with corresponding firewall mis-configurations;

producing a list of risks associated with the firewall based on a customization of the detected firewall mis-configurations, wherein the customization is according to the knowledge base and the simulation report; and

eliminating redundancy of reported risks by defining a suppression code for each risk associated with at least one second risk where the rules of the second risk logically contains the rules of the first risk,wherein the reported risks which have same number of triggering rules as the corresponding second risk defined by suppression code of the first risk, are suppressed,wherein the computer searchable file obeys a particular predefined schema indicating relationships between objects exhibited on tables in the simulation report, andwherein the searched mis-configurations are in a particular predefined search expression format that corresponds with the particular predefined schema.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for Automatic Risk Assessment of a Firewall Configuration facilitates the automatic generation of a risk assessment of a given firewall configuration. The method scans the firewall analyzer report, before the human user does, and flag the Configuration errors. Each found mis-configuration is called a risk item. The report is analyzed according a Knowledge Base of known risk items. The method further filters duplicate risk item which are trigger by different rules.

Citations

13 Claims

1. A computer implemented method of detecting firewall mis-configurations of a firewall operatively associated with a computer network, the method is comprising the following steps:
- receiving a firewall configuration;
  
  algorithmically simulating all potential packet received on an internal model of the firewall;
  
  generating a simulation report that is exhibiting relationships between any potential packet received by the firewall and a corresponding action taken by the firewall in response;
  
  converting the simulation report into a computer searchable file thus enabling detection of firewall mis-configurations;
  
  detecting firewall mis-configurations by searching the computer searchable file for mis-configurations in view of a predefined knowledge base exhibiting risk items associated with corresponding firewall mis-configurations;
  
  producing a list of risks associated with the firewall based on a customization of the detected firewall mis-configurations, wherein the customization is according to the knowledge base and the simulation report; and
  
  eliminating redundancy of reported risks by defining a suppression code for each risk associated with at least one second risk where the rules of the second risk logically contains the rules of the first risk,wherein the reported risks which have same number of triggering rules as the corresponding second risk defined by suppression code of the first risk, are suppressed,wherein the computer searchable file obeys a particular predefined schema indicating relationships between objects exhibited on tables in the simulation report, andwherein the searched mis-configurations are in a particular predefined search expression format that corresponds with the particular predefined schema.
- View Dependent Claims (2, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the simulation report is further arranged according to name/type of risk accumulating all rules which triggered said risk, wherein said arrangement is a result of what-if simulation for correlating the risks and their corresponding rules.
  - 4. The method according to claim 1, wherein the Knowledge Base is maintained in an Extensible Markup Language (XML) document.
  - 5. The method according to claim 1, wherein the Knowledge Base is maintained in a relational database.
  - 6. The method according to claim 1, wherein each risk item in said Knowledge Base comprises at least one of:
    - a brief description of the risk item;
      
      a risk rating;
      
      an explanation about the risk item;
      
      links to further details of the risk item; and
      
      a remedy.
  - 7. The method according to claim 1, wherein the List-of-Risks is displayed in HTML format.
  - 8. The method according to claim 1, wherein the List-of-Risks is displayed as a bar chart.
  - 9. The method of claim 1, wherein the risk items are customized before being searched for in said searchable report.
  - 10. The method of claim 1, wherein said List-of-Risks is sorted in decreasing risk rating order.
  - 11. The method of claim 1, wherein each risk item associated with a search expression used by the software module to search the computer searchable file to identify occurrences of said each risk item.

3. A computer implemented method of detecting firewall mis-configurations of a firewall operatively associated with a computer network, the method comprising:
- receiving a firewall configuration;
  
  algorithmically simulating all potential packet received on an internal model of the firewall;
  
  generating a simulation report that is exhibiting relationships between any potential packet received by the firewall and a corresponding action taken by the firewall in response;
  
  converting the simulation report into a computer searchable file enabling detection of firewall mis-configurations;
  
  detecting firewall mis-configurations by searching the computer searchable file for mis-configurations in view of a predefined knowledge base stored on the memory exhibiting risk items associated with corresponding firewall mis-configurations; and
  
  customizing the detected firewall mis-configurations according to the knowledge base and the simulation report thereby producing a list of risks associated with the firewall;
  
  conducting a simulation of firewall activation for specific risk type defined by a user; and
  
  integrating simulation results within the computer searchable file,wherein the computer searchable file obeys a particular predefined schema indicating relationships between objects exhibited on tables in the report, andwherein the searched mis-configurations are in a particular predefined search expression format that correspond with the particular predefined schema, andwherein the integrated computer searchable file enables searching according risk type.

12. A data processing system for detecting firewall mis-configurations of a firewall, operatively associated with a computer network, the system comprising:
- a processor; and
  
  a memory,wherein the processor is configured by a computer readable code such that the processor is operable to;
  
  receive a firewall configuration;
  
  algorithmically simulate all potential packet received on an internal model of the firewall;
  
  generate a simulation report that is exhibiting relationships between any potential packet received by the firewall and a corresponding action taken by the firewall in response;
  
  convert the simulation report into a computer searchable file enabling detection of firewall mis-configurations;
  
  detect firewall mis-configurations by searching the computer searchable file for mis-configurations in view of a predefined knowledge base stored on the memory exhibiting risk items associated with corresponding firewall mis-configurations;
  
  produce a list of risks associated with the firewall based on a customization of the detected firewall mis-configurations, wherein the customization is according to the knowledge base and the simulation report thereby producing a list of risks associated with the firewall; and
  
  eliminate redundancy of reported risks by defining a suppression code for each risk associated with at least one second risk where the rules of the second risk contains the rules of the first risk, wherein the reported risks which have same number of triggering rules as the corresponding second risk defined by suppression code of the first risk, are suppressed,wherein the computer searchable file obeys a particular predefined schema indicating relationships between objects exhibited on tables in the report, andwherein the searched mis-configurations are in a particular predefined search expression format that corresponds with the particular predefined schema.

13. A computer implemented method of detecting firewall mis-configurations of a firewall operatively associated with a computer network, the method comprising:
- receiving a firewall configuration;
  
  algorithmically simulating all potential packet receipts on an internal model of the firewall;
  
  generating a simulation report that is exhibiting relationships between any potential packet received by the firewall and a corresponding action taken by the firewall in response;
  
  converting the simulation report into a computer searchable file thus enabling detection of firewall mis-configurations;
  
  detecting firewall mis-configurations by searching the computer searchable file for mis-configurations in view of a predefined knowledge base exhibiting risk items associated with corresponding firewall mis-configurations; and
  
  producing a list of risks associated with the firewall according to customization of the detected firewall mis-configurations, wherein the customization is according to the knowledge base and the simulation report,wherein the computer searchable file obeys a particular predefined schema indicating relationships between objects exhibited on tables in the report, andwherein the searched mis-configurations are in a particular predefined search expression format that corresponds with the particular predefined schema.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Algotec Systems Ltd. (Koninklijke Philips N.V.)
Original Assignee
Algotec Systems Ltd. (Koninklijke Philips N.V.)
Inventors
Wool, Avishai
Primary Examiner(s)
Reza, Mohammad W
Assistant Examiner(s)
RAHIM, MONJUR

Application Number

US12/840,851
Publication Number

US 20100293617A1
Time in Patent Office

1,336 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

H04L 41/0873   Checking configuration conf...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1433   Vulnerability analysis

Method and apparatus for automatic risk assessment of a firewall configuration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for automatic risk assessment of a firewall configuration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links