Integrated computer security management system and method
First Claim
1. A method comprising:
- receiving at a computer security device a first indication from a firewall that a first packet is accepted based upon a first firewall rule, wherein the firewall is different from the computer security device;
in response to receiving the first indication and in response to the computer security device being in an available mode, determining by the computer security device whether to send the first packet based on the first indication and on a first evaluation by the computer security device, wherein processing by the firewall and by the computer security device are performed in parallel;
in further response to receiving the first indication and in response to the computer security device being in a monitor mode, sending the first packet without waiting for the first evaluation and collecting by the computer security device data about the first packet;
receiving at the computer security device a second indication from the firewall that a second packet is trusted, wherein the second packet is determined by the firewall to be trusted by identifying a source of the second packet, comparing the identified source to a predetermined list, and if the identified source matches a source on the list, designating the second packet as trusted and originating from a trusted data provider;
in response to receiving the second indication, sending the second packet without waiting for a second evaluation by the computer security device and irrespective of the second evaluation made by the computer security device;
determining at the computer security device whether the second packet matches a signature in the computer security device; and
in response to determining that the second packet matches the signature, modifying the predetermined list to designate future packets from the source of the second packet as un-trusted and originating from an un-trusted data provider.
15 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure is generally directed to a computer security management system that integrates a firewall with an intrusion detection system (IDS). In other words, the firewall and IDS of the present disclosure can be designed to communicate process or status information and packets with one another. The present disclosure can facilitate centralized control of the firewall and the IDS and can increase the speed at which packets are passed between a secured computer network and an external network. Increased packet processing speed can be achieved in several ways. For example, the firewall and IDS can process packets in series, in parallel, and sometimes singularly when one of the components is not permitted to process a packet. Alternatively, singular processing can also be performed when one component is permitted to pass a packet to the secured computer network without checking with the other component.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving at a computer security device a first indication from a firewall that a first packet is accepted based upon a first firewall rule, wherein the firewall is different from the computer security device; in response to receiving the first indication and in response to the computer security device being in an available mode, determining by the computer security device whether to send the first packet based on the first indication and on a first evaluation by the computer security device, wherein processing by the firewall and by the computer security device are performed in parallel; in further response to receiving the first indication and in response to the computer security device being in a monitor mode, sending the first packet without waiting for the first evaluation and collecting by the computer security device data about the first packet; receiving at the computer security device a second indication from the firewall that a second packet is trusted, wherein the second packet is determined by the firewall to be trusted by identifying a source of the second packet, comparing the identified source to a predetermined list, and if the identified source matches a source on the list, designating the second packet as trusted and originating from a trusted data provider; in response to receiving the second indication, sending the second packet without waiting for a second evaluation by the computer security device and irrespective of the second evaluation made by the computer security device; determining at the computer security device whether the second packet matches a signature in the computer security device; and in response to determining that the second packet matches the signature, modifying the predetermined list to designate future packets from the source of the second packet as un-trusted and originating from an un-trusted data provider. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable medium comprising code for carrying out a method, the method comprising:
-
receiving at a computer security device a first indication from a firewall that a first packet is accepted based upon a first firewall rule, wherein the firewall is different from the computer security device; in response to receiving the first indication and in response to the computer security device being in an available mode, determining by the computer security device whether to send the first packet based on the first indication and on a first evaluation by the computer security device, wherein the processing by the firewall and by the computer security device are performed in parallel; in further response to receiving the first indication and in response to the computer security device being in a monitor mode, sending the first packet without waiting for the first evaluation and collecting by the computer security device data about the first packet; receiving at the computer security device a second indication from the firewall that a second packet is trusted, wherein the second packet is determined by the firewall to be trusted by identifying a source of the second packet, comparing the identified source to a predetermined list, and if the identified source matches a source on the list, designating the second packet as trusted and originating from a trusted data provider; in response to receiving the second indication, sending the second packet without waiting for a second evaluation by the computer security device and irrespective of the second evaluation made by the computer security device; and determining at the computer security device whether the second packet matches a signature in the computer security device; and in response to determining that the second packet matches the signature, modifying the predetermined list to designate future packets from the source of the second packet as un-trusted and originating from an un-trusted data provider. - View Dependent Claims (10, 11, 12, 13)
-
-
14. An intrusion detection system comprising:
-
a memory; and a processor for executing code stored in the memory, and operable to at least; inform a firewall that the intrusion detection system is in an available mode for packet processing; in response to informing the firewall that the intrusion detection system is in the available mode, to; receive a first indication from the firewall that a first packet is accepted based upon a first firewall rule, wherein the firewall is different from the intrusion detection system and processing by the firewall and by the computer security device are performed in parallel; in response to receiving the first indication, determine whether to send the first packet based on the first indication and on a first evaluation by the intrusion detection system; receive a second indication from the firewall that a second packet is trusted; and in response to receiving the second indication; send the second packet without waiting for a second evaluation by the intrusion detection system; determine whether the second packet matches a signature in the intrusion detection system; and in response to determining that the second packet matches the signature, modify a predetermined list of the firewall to designate future packets from a source of the second packet as un-trusted and originating from an un-trusted data provider; inform the firewall that the intrusion detection system is in a monitor mode; and in response to informing the firewall that the intrusion detection system is in the monitor mode; receive a third indication from the firewall that a third packet is accepted based upon a third firewall rule; and in response to receiving the third indication; send the third packet without waiting for a third evaluation; and collect data about the third packet. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification