Method and system for management of security rule set

US 9,203,808 B2
Filed: 05/01/2013
Issued: 12/01/2015
Est. Priority Date: 05/18/2009
Status: Active Grant

First Claim

Patent Images

1. A method of automated managing an ordered set of security rules implemented at a plurality of security gateways, the method comprising:

obtaining data characterizing a connectivity request which may become allowable only upon changes of an initial rule-set, thus giving rise to an unfitting connectivity request;

analyzing routing tables of the plurality of the security gateways;

generating ranking the security gateways in accordance with their relevance to the unfitting connectivity request;

selecting one or more security gateways with the highest ranking; and

implementing a configuration change required in order to facilitate allowance of the unfitting connectivity request at the one or more selected security gateways.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are provided a method of automated managing an ordered set of security rules implemented at a plurality of security gateways and a system thereof. The method comprises obtaining data characterizing a connectivity request which may become allowable only upon changes of an initial rule-set, thus giving rise to an unfitting connectivity request; analyzing routing tables of the plurality of the security gateways; generating ranking the security gateways in accordance with their relevance to the unfitting connectivity request; selecting one or more security gateways with the highest ranking; and implementing a configuration change required in order to facilitate allowance of the unfitting connectivity request at the one or more selected security gateways.

14 Citations

View as Search Results

20 Claims

1. A method of automated managing an ordered set of security rules implemented at a plurality of security gateways, the method comprising:
- obtaining data characterizing a connectivity request which may become allowable only upon changes of an initial rule-set, thus giving rise to an unfitting connectivity request;
  
  analyzing routing tables of the plurality of the security gateways;
  
  generating ranking the security gateways in accordance with their relevance to the unfitting connectivity request;
  
  selecting one or more security gateways with the highest ranking; and
  
  implementing a configuration change required in order to facilitate allowance of the unfitting connectivity request at the one or more selected security gateways.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the configuration change is implemented at each one of the selected security gateways.
  - 3. The method of claim 1, wherein the relevance of a certain security gateway to the unfitting connectivity request is defined in accordance with at least one condition selected from a group consisted of:
    - the source and destination specified in the unfitting connectivity request are routed on the same interface of the certain security gateway;
      
      the source and destination specified in the unfitting connectivity request are routed on the same routing entry of a routing table of the certain security gateway;
      
      the source and destination specified in the connectivity request are directly connected;
      
      the source and destination specified in the unfitting connectivity request are explicitly routable in a routing table of the certain security gateway.
  - 4. The method of claim 1 further comprising automated generating the configuration change.
  - 5. The method of claim 4, wherein the automated generating the configuration change comprises:
    - searching for a rule within said ordered set of security rules, said rule best matching to be amended in order to facilitate allowance of the unfitting connectivity request, wherein best matching is defined in accordance with one or more predefined criteria; and
      
      automated generating amendment of the best matching rule, said amendment capable to facilitate allowance of the unfitting connectivity request.
  - 6. The method of claim 5, wherein at least one predefined criterion is related to extra allowed traffic resulting from the amendment.
  - 7. The method of claim 5, wherein at least one predefined criterion is related to requested traffic restricted after amendment by one or more rules above the amended rule.
  - 8. The method of claim 5, wherein at least one predefined criterion characterizes a relation between allowed traffic in the amended rule- set and traffic allowed in the initial rule-set.
  - 9. The method of claim 5, wherein at least one predefined criterion characterizes a relation between entire added traffic and traffic which needs to be added in accordance with the unfitting connectivity request.
  - 10. The method of claim 5, wherein at least one predefined criterion characterizes a relation between requested traffic rejected resulting from amendment and requested traffic allowed resulting from amendment.
  - 11. The method of claim 5, wherein at least one predefined criterion characterizes a relation between requested traffic rejected resulting from amendment and entire requested traffic.
  - 12. The method of claim 5, wherein at least one predefined criterion is selected from a group consisted of:
    - criterion characterizing a relation between allowed traffic in the amended rule- set and traffic allowed in the initial rule-set;
      
      criterion characterizing a relation between entire added traffic and traffic which needs to be added in accordance with the unfitting connectivity request;
      
      criterion characterizing a relation between requested traffic rejected resulting from amendment and requested traffic allowed resulting from amendment;
      
      criterion characterizing a relation between requested traffic rejected resulting from amendment and entire requested traffic;
      
      and wherein the rule is considered as best matching if it fits at least one of said criteria and/or combination thereof.
  - 13. The method of claim 12 further comprising automated searching for a plurality of rules enabling a predefined range of at least one of said criteria, and selecting the best matching rule among them.
  - 14. The method of claim 12 further comprising automated searching, for each said criterion, at least one rule enabling the minimal value of respective criterion, and selecting the best matching rules among them.
  - 15. The method of claim 5 further comprising presenting the generated amendment to a user for approval prior to implementing said amendment.
  - 16. The method of claim 5 further comprising validating the generated amendment prior to implementing.

17. A computerized system capable of managing an ordered set of security rules implemented at a plurality of security gateways, the system comprising a non-transitory computer readable storage medium comprising computer readable instructions executable by the system for:
- obtaining data characterizing a connectivity request which may become allowable only upon changes of an initial rule-set, thus giving rise to an unfitting connectivity request;
  
  analyzing routing tables of the plurality of the security gateways;
  
  generating ranking the security gateways in accordance with their relevance to the unfitting connectivity request;
  
  selecting one or more security gateways with the highest ranking; and
  
  implementing a configuration change required in order to facilitate allowance of the unfitting connectivity request at the one or more selected security gateways.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the configuration change is implemented at each one of the selected security gateways.
  - 19. The system of claim 17, wherein the relevance of a certain security gateway to the unfitting connectivity request is defined in accordance with at least one condition selected from a group consisted of:
    - the source and destination specified in the unfitting connectivity request are routed on the same interface of the certain security gateway;
      
      the source and destination specified in the unfitting connectivity request are routed on the same routing entry of a routing table of the certain security gateway;
      
      the source and destination specified in the connectivity request are directly connected;
      
      the source and destination specified in the unfitting connectivity request are explicitly routable in a routing table of the certain security gateway.
  - 20. The system of claim 17 further comprising meant for automated generating the configuration change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
Harrison, Reuven, Hamelin, Michael
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US13/874,943
Publication Number

US 20130247169A1
Time in Patent Office

944 Days
Field of Search

726/12
US Class Current

1/1
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/0281 Proxies

Method and system for management of security rule set

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method and system for management of security rule set

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others