Automatically recommending firewall rules during enterprise information technology transformation

US 9,100,363 B2
Filed: 09/14/2012
Issued: 08/04/2015
Est. Priority Date: 08/31/2012
Status: Expired due to Fees

First Claim

Patent Images

1. An article of manufacture comprising a non-transitory computer readable storage medium having computer readable instructions tangibly embodied thereon which, when implemented, cause a computer to carry out a plurality of method steps comprising:

obtaining at least one communication pattern occurring in a pre-transformation source environment by analyzing (i) one or more firewall configuration files and/or firewall log files associated with the source environment, (ii) one or more run-time network flows at the source environment, and (iii) one or more configured dependencies at one or more servers running on the source environment;

automatically generating one or more vendor-neutral firewall rules for multiple intended firewall interfaces, on a per-interface basis, in a post-transformation target environment based on (i) the at least one communication pattern occurring in the source environment and (ii) information derived from the target environment, wherein the one or more vendor-neutral firewall rules contain multiple attributes and values associated therewith for configuring flow-control rules on a firewall device that is not specific to any particular vendor, and wherein said automatically generating comprises;

generating a transformed version of the at least one communication pattern by applying source-target host and internet protocol (IP) subnet mapping information to the at least one communication pattern;

generating an adjusted version of the at least one communication pattern by incorporating one or more communication requirements associated with the target environment to the transformed version of the at least one communication pattern; and

identifying a subset of the adjusted version of the at least one communication pattern to be utilized for each of the multiple intended firewall interface in the post-transformation target environment; and

automatically converting the one or more vendor-neutral firewall rules into one or more vendor-specific firewall rules for the target environment based on information derived from the target environment, wherein the one or more vendor-specific firewall rules comprise commands to be directly used to configure a particular firewall device associated with a particular vendor.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and computer program product for automatically generating one or more rules during IT transformation for configuring one or more firewall interfaces in a post-transformation target environment include obtaining at least one communication pattern occurring in a pre-transformation source environment, and automatically generating one or more vendor-neutral rules for one or more intended firewall interfaces in a post-transformation target environment based on the at least one communication pattern occurring in the source environment and based on information derived from the target environment.

62 Citations

View as Search Results

19 Claims

1. An article of manufacture comprising a non-transitory computer readable storage medium having computer readable instructions tangibly embodied thereon which, when implemented, cause a computer to carry out a plurality of method steps comprising:
- obtaining at least one communication pattern occurring in a pre-transformation source environment by analyzing (i) one or more firewall configuration files and/or firewall log files associated with the source environment, (ii) one or more run-time network flows at the source environment, and (iii) one or more configured dependencies at one or more servers running on the source environment;
  
  automatically generating one or more vendor-neutral firewall rules for multiple intended firewall interfaces, on a per-interface basis, in a post-transformation target environment based on (i) the at least one communication pattern occurring in the source environment and (ii) information derived from the target environment, wherein the one or more vendor-neutral firewall rules contain multiple attributes and values associated therewith for configuring flow-control rules on a firewall device that is not specific to any particular vendor, and wherein said automatically generating comprises;
  
  generating a transformed version of the at least one communication pattern by applying source-target host and internet protocol (IP) subnet mapping information to the at least one communication pattern;
  
  generating an adjusted version of the at least one communication pattern by incorporating one or more communication requirements associated with the target environment to the transformed version of the at least one communication pattern; and
  
  identifying a subset of the adjusted version of the at least one communication pattern to be utilized for each of the multiple intended firewall interface in the post-transformation target environment; and
  
  automatically converting the one or more vendor-neutral firewall rules into one or more vendor-specific firewall rules for the target environment based on information derived from the target environment, wherein the one or more vendor-specific firewall rules comprise commands to be directly used to configure a particular firewall device associated with a particular vendor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The article of manufacture of claim 1, wherein obtaining at least one communication pattern further comprises:
    - using manually provided information about one or more flows at the source environment.
  - 3. The article of manufacture of claim 1, wherein information derived from the target environment used for automatically generating one or more vendor-neutral firewall rules comprises at least one of:
    - firewall topology;
      
      security zone topology;
      
      security zone contents; and
      
      a new internet protocol (IP) address and subnet information.
  - 4. The article of manufacture of claim 1, wherein obtaining at least one communication pattern further comprises obtaining information pertaining to service ports.
  - 5. The article of manufacture of claim 1, wherein automatically generating one or more vendor-neutral rules comprises:
    - determining whether a communication pattern and/or one or more additional requirements from the target environment are relevant for the multiple firewall interfaces in the target environment; and
      
      automatically generating one or more vendor-neutral per-interface rules for one or more intended interfaces in the target environment based on the at least one communication pattern occurring in the source environment and/or one or more additional requirements from the target environment that are determined relevant for each interface.
  - 6. The article of manufacture of claim 5, wherein automatically generating one or more vendor-neutral per-interface rules for multiple intended interfaces in the target environment comprises generating at least one transformed communication pattern by applying a source environment-target environment IP address or subnet mapping to the at least one communication pattern occurring in the source environment.
  - 7. The article of manufacture of claim 5, wherein automatically generating one or more vendor-neutral per-interface rules for multiple intended interfaces in the target environment comprises incorporating new communication and/or new security requirements from the target environment.
  - 8. The article of manufacture of claim 5, wherein automatically generating one or more vendor-neutral per-interface rules for multiple intended interfaces in the target environment comprises incorporating information pertaining to zone contents and firewall interfaces of the target environment.
  - 9. The article of manufacture of claim 5, wherein automatically generating one or more vendor-neutral per-interface rules for multiple intended interfaces in the target environment comprises applying heuristics and/or user-provided information to identify one or more service ports.
  - 10. The article of manufacture of claim 1, wherein only a subset of devices in the source environment are transformed.
  - 11. The article of manufacture of claim 1, wherein firewall and/or security zone topology in the target environment is partially or fully different from that of the source environment.
  - 12. The article of manufacture of claim 1, wherein one or more devices in the target environment are from a different vendor and/or model and/or platform from one or more devices in the source environment.
  - 13. The article of manufacture of claim 1, wherein one or more firewall devices are physical or virtual devices.
  - 14. The article of manufacture of claim 1, wherein one or more security requirements in the source environment differ from those in the target environment.
  - 15. The article of manufacture of claim 1, wherein one or more connectivity requirements in the source environment differ from those in the target environment.
  - 16. The article of manufacture of claim 1, wherein information derived from the target environment comprises already-implemented vendor-specific firewall rules in the target environment.
  - 17. The article of manufacture of claim 1, wherein automatically generating one or more vendor-neutral firewall rules for multiple intended firewall interfaces in a target environment comprises accounting for one or more rules already implemented for the target environment'"'"'s firewalls and recommending additions, deletions, and/or updates to the one or more rules.
  - 18. The article of manufacture of claim 1, the method steps comprising automatically generating one or more vendor-specific firewall rules for a target environment during an enterprise information technology transformation activity, wherein an enterprise information technology transformation activity comprises at least one of migration, consolidation, virtualization, data center relocation, and cloudification of at least one application or server or service from a source information technology infrastructure to a target information technology infrastructure.

19. A system for automatically generating one or more rules during IT transformation for configuring one or more firewall interfaces in a post-transformation target environment, comprising:
- at least one distinct software module, each distinct software module being embodied on a tangible computer-readable medium;
  
  a memory; and
  
  at least one processor coupled to the memory and operative for;
  
  obtaining at least one communication pattern occurring in a pre-transformation source environment by analyzing (i) one or more firewall configuration files and/or firewall log files associated with the source environment, (ii) one or more run-time network flows at the source environment, and (iii) one or more configured dependencies at one or more servers running on the source environment; and
  
  automatically generating one or more vendor-neutral firewall rules for multiple intended firewall interfaces, on a per-interface basis, in a post-transformation target environment based on the at least one communication pattern occurring in the source environment and (ii) information derived from the target environment, wherein the one or more vendor-neutral firewall rules contain multiple attributes and values associated therewith for configuring flow-control rules on a firewall device that is not specific to any particular vendor, and wherein said automatically generating comprises;
  
  generating a transformed version of the at least one communication pattern by applying source-target host and internet protocol (IP) subnet mapping information to the at least one communication pattern;
  
  generating an adjusted version of the at least one communication pattern by incorporating one or more communication requirements associated with the target environment to the transformed version of the at least one communication pattern; and
  
  identifying a subset of the adjusted version of the at least one communication pattern to be utilized for each of the multiple intended firewall interface in the post-transformation target environment; and
  
  automatically converting the one or more vendor-neutral firewall rules into one or more vendor-specific firewall rules for the target environment based on information derived from the target environment, wherein the one or more vendor-specific firewall rules comprise commands to be directly used to configure a particular firewall device associated with a particular vendor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Burchfield, Nancy L., Hang, Nathaniel, Hosn, Rafah A., Murray, James W., Ramasamy, Harigovind V.
Primary Examiner(s)
Chao, Michael
Assistant Examiner(s)
MEJIA, FELICIANO S

Application Number

US13/618,298
Publication Number

US 20140068701A1
Time in Patent Office

1,054 Days
Field of Search

709/220, 709/225, 709/246, 726/1, 726/11, 726/14, 726/22
US Class Current

1/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

Automatically recommending firewall rules during enterprise information technology transformation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Automatically recommending firewall rules during enterprise information technology transformation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others