Integrated computer security management system and method

US 8,701,176 B2
Filed: 01/16/2012
Issued: 04/15/2014
Est. Priority Date: 09/07/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

receiving at a computer security device a first indication from a firewall that a first packet is accepted based upon a first firewall rule, wherein the firewall is different from the computer security device;

in response to receiving the first indication and in response to the computer security device being in an available mode, determining by the computer security device whether to send the first packet based on the first indication and on a first evaluation by the computer security device, wherein processing by the firewall and by the computer security device are performed in parallel;

in further response to receiving the first indication and in response to the computer security device being in a monitor mode, sending the first packet without waiting for the first evaluation and collecting by the computer security device data about the first packet;

receiving at the computer security device a second indication from the firewall that a second packet is trusted, wherein the second packet is determined by the firewall to be trusted by identifying a source of the second packet, comparing the identified source to a predetermined list, and if the identified source matches a source on the list, designating the second packet as trusted and originating from a trusted data provider;

in response to receiving the second indication, sending the second packet without waiting for a second evaluation by the computer security device and irrespective of the second evaluation made by the computer security device;

determining at the computer security device whether the second packet matches a signature in the computer security device; and

in response to determining that the second packet matches the signature, modifying the predetermined list to designate future packets from the source of the second packet as un-trusted and originating from an un-trusted data provider.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is generally directed to a computer security management system that integrates a firewall with an intrusion detection system (IDS). In other words, the firewall and IDS of the present disclosure can be designed to communicate process or status information and packets with one another. The present disclosure can facilitate centralized control of the firewall and the IDS and can increase the speed at which packets are passed between a secured computer network and an external network. Increased packet processing speed can be achieved in several ways. For example, the firewall and IDS can process packets in series, in parallel, and sometimes singularly when one of the components is not permitted to process a packet. Alternatively, singular processing can also be performed when one component is permitted to pass a packet to the secured computer network without checking with the other component.

Citations

20 Claims

1. A method comprising:
- receiving at a computer security device a first indication from a firewall that a first packet is accepted based upon a first firewall rule, wherein the firewall is different from the computer security device;
  
  in response to receiving the first indication and in response to the computer security device being in an available mode, determining by the computer security device whether to send the first packet based on the first indication and on a first evaluation by the computer security device, wherein processing by the firewall and by the computer security device are performed in parallel;
  
  in further response to receiving the first indication and in response to the computer security device being in a monitor mode, sending the first packet without waiting for the first evaluation and collecting by the computer security device data about the first packet;
  
  receiving at the computer security device a second indication from the firewall that a second packet is trusted, wherein the second packet is determined by the firewall to be trusted by identifying a source of the second packet, comparing the identified source to a predetermined list, and if the identified source matches a source on the list, designating the second packet as trusted and originating from a trusted data provider;
  
  in response to receiving the second indication, sending the second packet without waiting for a second evaluation by the computer security device and irrespective of the second evaluation made by the computer security device;
  
  determining at the computer security device whether the second packet matches a signature in the computer security device; and
  
  in response to determining that the second packet matches the signature, modifying the predetermined list to designate future packets from the source of the second packet as un-trusted and originating from an un-trusted data provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the computer security device comprises an intrusion detection system.
  - 3. The method of claim 1, wherein determining by the firewall whether the second packet should be deemed trusted comprises comparing the second packet with a second firewall rule.
  - 4. The method of claim 1, further comprising:
    - copying the second packet; and
      
      forwarding the copy of the second packet to the computer security device.
  - 5. The method of claim 1, further comprising:
    - receiving at the computer security device a third indication that a third packet violates a third rule of the firewall; and
      
      in response to receiving the third indication, dropping the third packet.
  - 6. The method of claim 1, further comprising:
    - evaluating the second packet with a virus scanning device.
  - 7. The method of claim 1, further comprising:
    - determining that a third packet is destined for a secured computer network; and
      
      in response to determining that the third packet is destined for a secured computer network, sending the third packet to the secured computer network and to the computer security device.
  - 8. The method of claim 1, further comprising:
    - receiving at the computer security device a third indication that a third packet is rejected by the firewall; and
      
      receiving at the computer security device a fourth indication that a fourth packet is denied by the firewall.

9. A non-transitory computer-readable medium comprising code for carrying out a method, the method comprising:
- receiving at a computer security device a first indication from a firewall that a first packet is accepted based upon a first firewall rule, wherein the firewall is different from the computer security device;
  
  in response to receiving the first indication and in response to the computer security device being in an available mode, determining by the computer security device whether to send the first packet based on the first indication and on a first evaluation by the computer security device, wherein the processing by the firewall and by the computer security device are performed in parallel;
  
  in further response to receiving the first indication and in response to the computer security device being in a monitor mode, sending the first packet without waiting for the first evaluation and collecting by the computer security device data about the first packet;
  
  receiving at the computer security device a second indication from the firewall that a second packet is trusted, wherein the second packet is determined by the firewall to be trusted by identifying a source of the second packet, comparing the identified source to a predetermined list, and if the identified source matches a source on the list, designating the second packet as trusted and originating from a trusted data provider;
  
  in response to receiving the second indication, sending the second packet without waiting for a second evaluation by the computer security device and irrespective of the second evaluation made by the computer security device; and
  
  determining at the computer security device whether the second packet matches a signature in the computer security device; and
  
  in response to determining that the second packet matches the signature, modifying the predetermined list to designate future packets from the source of the second packet as un-trusted and originating from an un-trusted data provider.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computer-readable medium of claim 9, the method further comprising:
    - copying the second packet; and
      
      forwarding the copy of the second packet to the computer security device.
  - 11. The computer-readable medium of claim 9, the method further comprising:
    - receiving at the computer security device a third indication that a third packet violates a third rule of the firewall; and
      
      in response to receiving the third indication, dropping the third packet.
  - 12. The computer-readable medium of claim 9, the method further comprising:
    - determining that a third packet is destined for a secured computer network; and
      
      in response to determining that the third packet is destined for a secured computer network, sending the third packet to the secured computer network and to the computer security device.
  - 13. The computer-readable medium of claim 9, the method further comprising:
    - receiving at the computer security device a third indication that a third packet is rejected by the firewall; and
      
      receiving at the computer security device a fourth indication that a fourth packet is denied by the firewall.

14. An intrusion detection system comprising:
- a memory; and
  
  a processor for executing code stored in the memory, and operable to at least;
  
  inform a firewall that the intrusion detection system is in an available mode for packet processing;
  
  in response to informing the firewall that the intrusion detection system is in the available mode, to;
  
  receive a first indication from the firewall that a first packet is accepted based upon a first firewall rule, wherein the firewall is different from the intrusion detection system and processing by the firewall and by the computer security device are performed in parallel;
  
  in response to receiving the first indication, determine whether to send the first packet based on the first indication and on a first evaluation by the intrusion detection system;
  
  receive a second indication from the firewall that a second packet is trusted; and
  
  in response to receiving the second indication;
  
  send the second packet without waiting for a second evaluation by the intrusion detection system;
  
  determine whether the second packet matches a signature in the intrusion detection system; and
  
  in response to determining that the second packet matches the signature, modify a predetermined list of the firewall to designate future packets from a source of the second packet as un-trusted and originating from an un-trusted data provider;
  
  inform the firewall that the intrusion detection system is in a monitor mode; and
  
  in response to informing the firewall that the intrusion detection system is in the monitor mode;
  
  receive a third indication from the firewall that a third packet is accepted based upon a third firewall rule; and
  
  in response to receiving the third indication;
  
  send the third packet without waiting for a third evaluation; and
  
  collect data about the third packet.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The intrusion detection system of claim 14, wherein determining by the firewall whether the second packet should be deemed trusted comprises comparing the second packet with a second firewall rule.
  - 16. The intrusion detection system of claim 14, the processor further operable to:
    - copy the second packet; and
      
      forward the copy of the second packet to the computer security device.
  - 17. The intrusion detection system of claim 14, the processor further operable to:
    - receive at the computer security device a third indication that a third packet violates a third rule of the firewall; and
      
      in response to receiving the third indication, drop the third packet.
  - 18. The intrusion detection system of claim 14, the processor further operable to:
    - evaluate the second packet with a virus scanning device.
  - 19. The intrusion detection system of claim 14, the processor further operable to:
    - determine that a third packet is destined for a secured computer network; and
      
      in response to determining that the third packet is destined for a secured computer network, send the third packet to the secured computer network.
  - 20. The intrusion detection system of claim 14, the processor further operable to:
    - receive a third indication that a third packet is rejected by the firewall; and
      
      receive a fourth indication that a fourth packet is denied by the firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Ketts, Kevin, Ramsey, Jon R.
Primary Examiner(s)
SHAW, YIN CHEN

Application Number

US13/350,997
Publication Number

US 20120117640A1
Time in Patent Office

820 Days
Field of Search

726 22- 24, 726/11, 726/13, 713/188
US Class Current

726/11
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Integrated computer security management system and method

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated computer security management system and method

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links