Enhanced personal firewall for dynamic computing environments

US 8,745,720 B2
Filed: 08/22/2012
Issued: 06/03/2014
Est. Priority Date: 03/09/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A personal firewall system comprising:

a processor, a computer readable, tangible storage device, a computer readable memory, and program instructions, stored on the storage device for execution by the processor via the memory, the program instructions comprising;

program instructions to bind to a specified communications port, and to listen for incoming firewall trust requests; and

program instructions, responsive to detecting an incoming firewall trust request;

to establish an incoming connection by an application program protected by a remote firewall to a resource protected by a local firewalls;

to transmit a communication handshake identification response to the remote firewall responsive to receipt of a communication handshake identification request from the remote firewall;

responsive to receipt of a remote firewall public encryption key, to transmit a local firewall public encryption key to the remote firewall;

responsive to receiving a signed trusted computer request from the remote firewall, and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access, to verify that the signed trusted computer request is signed using the received remote firewall public encryption key; and

responsive to determining that the remote firewall has not been previously authorized to establish trusted access, to modify local firewall rules to allow data communications through the remote firewall and through the local firewall;

wherein the communication handshake identification request and the communication handshake identification response utilize a pre-determined port for negotiations of a trusted relationship, and wherein the communication handshake identification request and communication handshake identification response indicate a supported protocol version and an acceptable key algorithm.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enhanced personal firewall system having an inter-firewall connection listener which binds to a specified communications port and listens for inbound and/or outbound connection requests; and an inter-firewall controller which establishes a trusted communications through a local firewall and a remote firewall by exchanging public keys, a signed trusted computer firewall request, and using the keys to determine if a local key storage indicates previous authorization to trusted communications. If not, then a user of the targeted resource is notified and prompted to authorize the access. If so, then the firewall rules protecting the targeted resource are modified, even if temporarily, to allow the requesting firewall to have trusted access.

66 Citations

9 Claims

1. A personal firewall system comprising:
- a processor, a computer readable, tangible storage device, a computer readable memory, and program instructions, stored on the storage device for execution by the processor via the memory, the program instructions comprising;
  
  program instructions to bind to a specified communications port, and to listen for incoming firewall trust requests; and
  
  program instructions, responsive to detecting an incoming firewall trust request;
  
  to establish an incoming connection by an application program protected by a remote firewall to a resource protected by a local firewalls;
  
  to transmit a communication handshake identification response to the remote firewall responsive to receipt of a communication handshake identification request from the remote firewall;
  
  responsive to receipt of a remote firewall public encryption key, to transmit a local firewall public encryption key to the remote firewall;
  
  responsive to receiving a signed trusted computer request from the remote firewall, and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access, to verify that the signed trusted computer request is signed using the received remote firewall public encryption key; and
  
  responsive to determining that the remote firewall has not been previously authorized to establish trusted access, to modify local firewall rules to allow data communications through the remote firewall and through the local firewall;
  
  wherein the communication handshake identification request and the communication handshake identification response utilize a pre-determined port for negotiations of a trusted relationship, and wherein the communication handshake identification request and communication handshake identification response indicate a supported protocol version and an acceptable key algorithm.
- View Dependent Claims (2, 3)
- - 2. The system as set forth in claim 1 wherein the processor is disposed in a personal firewall product having a network communications stack operable by a host computer, the stack being configured to interrogate outgoing, incoming, or both outgoing and incoming network packets, and to apply firewall rules against the packets to either allow or deny packet access to or from a host computer, to allow an inter-firewall connection listener to bind to a specified port, to accept incoming transmissions from other host firewalls, and to allow the inter-firewall connection listener to bind to a specified communications port.
  - 3. The system as set forth in claim 1 wherein binding to a specified communications port comprises binding to a Transmission Control Protocol/Internet Protocol port.

4. A computer-implemented method for providing an enhanced firewall comprising the steps of:
- binding a listener portion of a computing platform to a specified communications port;
  
  listening by the listener for incoming firewall trust requests;
  
  responsive to detection of an incoming firewall connection request by an application program protected by a remote firewall to a resource protected by a local firewall;
  
  transmitting a communication handshake identification response to the remote firewall responsive to receipt of a communication handshake identification request from the remote firewall;
  
  responsive to receipt of a remote firewall public encryption key, transmitting a local firewall public encryption key to the remote firewall;
  
  responsive to receiving a signed trusted computer request from the remote firewall, and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access, verifying that the signed trusted computer request is signed using the received remote firewall public encryption key; and
  
  responsive to determining that the remote firewall has not been previously authorized to establish trusted access, modifying local firewall rules to allow data communications through the remote firewall and through the local firewall;
  
  wherein the communication handshake identification request and the communication handshake identification response utilize a pre-determined port for negotiations of a trusted relationship, and wherein the communication handshake identification request and communication handshake identification response indicate a supported protocol version and an acceptable key algorithm.
- View Dependent Claims (5, 6)
- - 5. The method as set forth in claim 4 wherein the steps are performed by a personal firewall product having a network communications stack operable by a host computer, with the stack being configured to interrogate outgoing, incoming, or both outgoing and incoming network packets, and to apply firewall rules against the packets to either allow or deny packet access to or from a host computer.
  - 6. The method as set forth in claim 4 wherein the binding comprises binding to a Transmission Control Protocol/Internet Protocol port.

7. A computer readable storage memory device comprising:
- a tangible, computer readable storage memory device;
  
  first computer instructions for binding a listener to a specified communications port;
  
  second computer instructions for listening by the listener for incoming firewall trust requests;
  
  third computer instructions for, responsive to detection of an incoming firewall trust request;
  
  transmitting a communication handshake identification response to the remote firewall responsive to receipt of a communication handshake identification request from the remote firewall;
  
  responsive to receipt of a remote firewall public encryption key, transmitting a local firewall public encryption key to the remote firewall;
  
  responsive to receiving a signed trusted computer request from the remote firewall, and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access, verifying that the signed trusted computer request is signed using the received remote firewall public encryption key; and
  
  responsive to determining that the remote firewall has not been previously authorized to establish trusted access, modifying local firewall rules to allow data communications through the remote firewall and through the local firewall;
  
  wherein the first, second and third computer instructions are stored by the tangible, computer readable storage memory device, and wherein the communication handshake identification request and the communication handshake identification response utilize a pre-determined port for negotiations of a trusted relationship, and wherein the communication identification handshake request and the communication identification handshake response indicate a supported protocol version and an acceptable key algorithm.
- View Dependent Claims (8, 9)
- - 8. The tangible, computer readable storage memory device as set forth in claim 7 wherein the computer instructions are performed by a personal firewall product having a network communications stack operable by a host computer, the stack being configured to interrogate outgoing, incoming, or both outgoing and incoming network packets, and to apply firewall rules against the packets to either allow or deny packet access to or from a host computer.
  - 9. The tangible, computer readable storage memory device as set forth in claim 7 wherein the first computer instructions bind to a Transmission Control Protocol/Internet Protocol port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Bansal, Ravi Prakash, Hamilton, Rick Allen II, O'Connell, Brian, Walker, Keith Raymond
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US13/591,457
Publication Number

US 20120324562A1
Time in Patent Office

650 Days
Field of Search

726/11, 726/2, 726/3, 713/150, 713/168, 713/176
US Class Current

726/11
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

Enhanced personal firewall for dynamic computing environments

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

9 Claims

Specification

Use Cases

Quick Links

Others

Enhanced personal firewall for dynamic computing environments

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others