Method and apparatus for graphical presentation of firewall security policy

US 8,701,177 B2
Filed: 03/26/2012
Issued: 04/15/2014
Est. Priority Date: 08/19/2004
Status: Active Grant

First Claim

Patent Images

1. A computer program product for reporting permitted message flows through a firewall, the computer program product comprising:

one or more computer-readable non-transitory storage devices and program instructions stored on the one or more storage devices, the program instructions comprising;

program instructions to generate and display a firewall icon representing the firewall and a network icon, the network icon representing a first network;

program instructions to generate and display a first arrow in a first color pointing from the displayed firewall icon to the displayed network icon to indicate that a first communication is permitted to the first network, the first arrow displayed in the first color to represent a security level of a second network from which the first communication originates and to which the firewall is coupled;

program instructions, responsive to a user selection of the displayed first arrow, to determine and display a list of ports from the second network that are permitted by the firewall to originate messages to the first network and a list of ports of the first network that are permitted by the firewall to receive the messages from the second network;

program instructions to generate and display a second arrow in a second, different color having a substantially triangular tip visually pointing from the displayed firewall icon to the displayed network icon to indicate that a second communication is permitted to the first network, the second arrow displayed in the second, different color to represent a security level of a third network from which the second communication originates and to which the firewall is coupled; and

program instructions, responsive to a user selection of the displayed second arrow, to determine and display a list of ports from the third network that are permitted by the firewall to originate messages to the first network and a list of ports of the first network that are permitted by the firewall to receive the messages from the third network; and

wherein the second network has a different security level than the third network as indicated by the first and second arrows being respectively displayed in the first and second, different colors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A graphical representation of the firewall and a network coupled to the firewall is generated and displayed. A number of an inbound port of the network is displayed. An arrow adjacent to the port number pointing toward the network is displayed to indicate that a communication is permitted to the port. The port number and the arrow are located between an icon for the network and an icon for the firewall. A port number of a destination of a communication originating from the network is displayed. Also, another arrow adjacent to the destination port number pointing toward the firewall is displayed to indicate that a communication is permitted to the destination port number. The destination port number and the other arrow are located between an icon for the network and an icon for the firewall.

35 Citations

View as Search Results

12 Claims

1. A computer program product for reporting permitted message flows through a firewall, the computer program product comprising:
- one or more computer-readable non-transitory storage devices and program instructions stored on the one or more storage devices, the program instructions comprising;
  
  program instructions to generate and display a firewall icon representing the firewall and a network icon, the network icon representing a first network;
  
  program instructions to generate and display a first arrow in a first color pointing from the displayed firewall icon to the displayed network icon to indicate that a first communication is permitted to the first network, the first arrow displayed in the first color to represent a security level of a second network from which the first communication originates and to which the firewall is coupled;
  
  program instructions, responsive to a user selection of the displayed first arrow, to determine and display a list of ports from the second network that are permitted by the firewall to originate messages to the first network and a list of ports of the first network that are permitted by the firewall to receive the messages from the second network;
  
  program instructions to generate and display a second arrow in a second, different color having a substantially triangular tip visually pointing from the displayed firewall icon to the displayed network icon to indicate that a second communication is permitted to the first network, the second arrow displayed in the second, different color to represent a security level of a third network from which the second communication originates and to which the firewall is coupled; and
  
  program instructions, responsive to a user selection of the displayed second arrow, to determine and display a list of ports from the third network that are permitted by the firewall to originate messages to the first network and a list of ports of the first network that are permitted by the firewall to receive the messages from the third network; and
  
  wherein the second network has a different security level than the third network as indicated by the first and second arrows being respectively displayed in the first and second, different colors.
- View Dependent Claims (2, 3, 7, 8, 9)
- - 2. The computer program product of claim 1, further comprising:
    - program instructions, stored on at least one of the one or more storage devices, to generate and display between the firewall icon and the network icon identifications of inbound ports of the first network permitted by the firewall to receive messages from the second and third networks.
  - 3. The computer program product of claim 1, further comprising:
    - program instructions, stored on at least one of the one or more storage devices, to determine and display on or adjacent to the firewall icon a count of vulnerability problems with the firewall, a count of misconfiguration problems with the firewall, or a combination thereof.
  - 7. The computer program product of claim 1, wherein the network icon representing the first network is a first network icon, and wherein the computer program product further comprises:
    - program instructions, stored on the one or more storage devices, to display a second network icon representing the second network and to display the second network icon coupled to the firewall icon; and
      
      program instructions, stored on the one or more storage devices, to display a third network icon representing the third network and to display the third network icon coupled to the firewall icon.
  - 8. The computer program product of claim 7, wherein (i) the program instructions to display the firewall icon and the first network icon coupled to the firewall icon, (ii) the program instructions to display the first arrow pointing to the first network icon, (iii) the program instructions to display the second arrow pointing to the first network icon, (iv) the program instructions to display the second network icon coupled to the firewall icon, and (v) the program instructions to display the third network icon coupled to the firewall icon are configured to simultaneously display the firewall icon, the first network icon coupled to the firewall icon, the first arrow pointing to the first network icon, the second arrow pointing to the first network icon, the second network icon coupled to the firewall icon, and the third network icon coupled to the firewall icon.
  - 9. The computer program product of claim 7, further comprising:
    - program instructions, stored on the one or more storage devices, to deduce, from a configuration file of the firewall represented by the firewall icon, an existence of another firewall that permits or blocks data flow between the third network and a fourth network; and
      
      program instructions, stored on the one or more storage devices, to display an icon of the other firewall, responsive to a user selection of the displayed third network icon while the first network icon, the second network icon, the third network icon, and the firewall icon are being simultaneously displayed and while the icon of the other firewall is not being displayed.

4. A computer system for reporting permitted message flows through a firewall, the computer system comprising:
- one or more processors, one or more computer-readable memories, one or more computer-readable non-transitory storage devices, and program instructions stored on the one or more storage devices for execution by the one or more processors via the one or more memories, the program instructions comprising;
  
  program instructions to generate and display a firewall icon representing the firewall and a network icon, the network icon representing a first network;
  
  program instructions to generate and display a first arrow in a first color pointing from the displayed firewall icon to the displayed network icon to indicate that a first communication is permitted to the first network, the first arrow displayed in the first color to represent a security level of a second network from which the first communication originates and to which the firewall is coupled;
  
  program instructions, responsive to a user selection of the displayed first arrow, to determine and display a list of ports from the second network that are permitted by the firewall to originate messages to the first network and a list of ports of the first network that are permitted by the firewall to receive the messages from the second network;
  
  program instructions to generate and display a second arrow in a second, different color having a substantially triangular tip visually pointing from the displayed firewall icon to the displayed network icon to indicate that a second communication is permitted to the first network, the second arrow displayed in the second, different color to represent a security level of a third network from which the second communication originates and to which the firewall is coupled; and
  
  program instructions, responsive to a user selection of the displayed second arrow, to determine and display a list of ports from the third network that are permitted by the firewall to originate messages to the first network and a list of ports of the first network that are permitted by the firewall to receive the messages from the third network; and
  
  wherein the second network has a different security level than the third network as indicated by the first and second arrows being respectively displayed in the first and second, different colors.
- View Dependent Claims (5, 6, 10, 11, 12)
- - 5. The computer system of claim 4, further comprising:
    - program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to generate and display between the firewall icon and the network icon identifications of inbound ports of the first network permitted by the firewall to receive messages from the second and third networks.
  - 6. The computer system of claim 4, further comprising:
    - program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to determine and display on or adjacent to the firewall icon a count of vulnerability problems with the firewall, a count of misconfiguration problems with the firewall, or a combination thereof.
  - 10. The computer system of claim 4, wherein the network icon representing the first network is a first network icon, and wherein the computer system further comprises:
    - program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to display a second network icon representing the second network and to display the second network icon coupled to the firewall icon; and
      
      program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to display a third network icon representing the third network and to display the third network icon coupled to the firewall icon.
  - 11. The computer system of claim 10, wherein (i) the program instructions to display the firewall icon and the first network icon coupled to the firewall icon, (ii) the program instructions to display the first arrow pointing to the first network icon, (iii) the program instructions to display the second arrow pointing to the first network icon, (iv) the program instructions to display the second network icon coupled to the firewall icon, and (v) the program instructions to display the third network icon coupled to the firewall icon are configured to simultaneously display the firewall icon, the first network icon coupled to the firewall icon, the first arrow pointing to the first network icon, the second arrow pointing to the first network icon, the second network icon coupled to the firewall icon, and the third network icon coupled to the firewall icon.
  - 12. The computer system of claim 10, further comprising:
    - program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to deduce, from a configuration file of the firewall represented by the firewall icon, an existence of another firewall that permits or blocks data flow between the third network and a fourth network; and
      
      program instructions, stored on the one or more storage devices for execution by the one or more processors via the one or more memories, to display an icon of the other firewall, responsive to a user selection of the displayed third network icon while the first network icon, the second network icon, the third network icon, and the firewall icon are being simultaneously displayed and while the icon of the other firewall is not being displayed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Anderson, Brooke Madsen, Bunn, Wiliam C., Karnes, Mary, Lieberman, Sarah M., Wilczek, Mira E.
Primary Examiner(s)
Zecher, Cordelia
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US13/430,186
Publication Number

US 20120216270A1
Time in Patent Office

750 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/1433   Vulnerability analysis

H04L 67/75   Indicating network or usage...

Method and apparatus for graphical presentation of firewall security policy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for graphical presentation of firewall security policy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links