Passport-controlled firewall

US 9,900,285 B2
Filed: 08/10/2015
Issued: 02/20/2018
Est. Priority Date: 08/10/2015
Status: Active Grant

First Claim

Patent Images

1. A method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:

receiving from a deployer, by one or more processors, a unit of deployment at a requestor module on a server,wherein the unit of deployment comprises the application code and a signed passport,wherein the passport comprises a heart-beat time-out interval, a firewall rule, and a first application hash value, andwherein a first hash function is used to generate the first application hash value;

said one or more processors generating a trigger signal within the heart-beat time-out interval;

said one or more processors authenticating the received passport;

said one or more processors hashing the received application code, resulting in a second application hash value,wherein a second hash function is used to generate the second application hash value, andwherein the first hash function and the second hash function are a same hash function;

said one or more processors validating that the received first application hash value and the second application hash value are equal; and

in response to said authenticating and said validating, said one or more processors;

receiving the passport and the trigger signal by a border control agent of the firewall from the requestor module within the heart-beat time-out interval,modifying a firewall in the firewall infrastructure according to the received firewall rule; and

communicating with the application code through the modified firewall, else said one or more processors resetting the firewall rule in response to a determination that the trigger signal was not received by the border control agent within the heart-beat time-out interval.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, and associated system and computer program product, for dynamically modifying rules in a firewall infrastructure. A unit of deployment is received at a requestor module at a server. The unit of deployment includes the application code and a signed passport. The passport includes a firewall rule and a first application hash value. The received passport is authenticated, the received application code is hashed resulting in a second application hash value, and it is validated that the received first application hash value and the generated application hash value are equal. In response to the validation, the passport is received by a border control agent of the firewall from the server, a firewall is modified in the firewall infrastructure according to the received firewall rule, and communicating with the application is enabled through the modified firewall.

28 Citations

View as Search Results

11 Claims

1. A method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:
- receiving from a deployer, by one or more processors, a unit of deployment at a requestor module on a server,wherein the unit of deployment comprises the application code and a signed passport,wherein the passport comprises a heart-beat time-out interval, a firewall rule, and a first application hash value, andwherein a first hash function is used to generate the first application hash value;
  
  said one or more processors generating a trigger signal within the heart-beat time-out interval;
  
  said one or more processors authenticating the received passport;
  
  said one or more processors hashing the received application code, resulting in a second application hash value,wherein a second hash function is used to generate the second application hash value, andwherein the first hash function and the second hash function are a same hash function;
  
  said one or more processors validating that the received first application hash value and the second application hash value are equal; and
  
  in response to said authenticating and said validating, said one or more processors;
  
  receiving the passport and the trigger signal by a border control agent of the firewall from the requestor module within the heart-beat time-out interval,modifying a firewall in the firewall infrastructure according to the received firewall rule; and
  
  communicating with the application code through the modified firewall, else said one or more processors resetting the firewall rule in response to a determination that the trigger signal was not received by the border control agent within the heart-beat time-out interval.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, said method further comprising:
    - said one or more processors confirming on a regular basis within each of the heart-beat time-out intervals the firewall rule by the requester module of the server to the border control agent of the firewall.
  - 3. The method of claim 1, wherein an encryption used for encrypting the passport is based on an asymmetric encryption process.
  - 4. The method of claim 1, wherein a secure communication channel is established between the requestor module of the server and the border control agent of the firewall.
  - 5. The method of claim 1, wherein an encryption of the passport is based on a public key certificate registered with a trusted signer.

6. A computer program product, comprising one or more computer readable hardware storage devices having computer readable program code stored therein, said program code containing instructions executable by one or more processors to implement a method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:
- said one or more processors receiving from a deployer, a unit of deployment at a requestor module on a server,wherein the unit of deployment comprises the application code and a signed passport,wherein the passport comprises a heart-beat time-out interval, a firewall rule, and a first application hash value andwherein a first hash function is used to generate the first application hash value;
  
  said one or more processors generating a trigger signal within the heart-beat time-out interval;
  
  said one or more processors authenticating the received passport;
  
  said one or more processors hashing the received application code, resulting in a second application hash value,wherein a second hash function is used to generate the second application hash value, andwherein the first hash function and the second hash function are a same hash function;
  
  said one or more processors validating that the received first application hash value and the second application hash value are equal; and
  
  in response to said authenticating and said validating, said one or more processors;
  
  receiving the passport and the trigger signal by a border control agent of the firewall from the requestor module within the heart-beat time-out interval,modifying a firewall in the firewall infrastructure according to the received firewall rule, andcommunicating with the application code through the modified firewall, else said one or more processors resetting the firewall rule in response to a determination that the trigger signal was not received by the border control agent within the heart-beat time-out interval.
- View Dependent Claims (7, 8)
- - 7. The computer program product of claim 6, said method further comprising:
    - said one or more processors confirming on a regular basis within each of the heart-beat time-out intervals the firewall rule by the requestor module of the server to the border control agent of the firewall.
  - 8. The computer program product of claim 6, when n encryption used for encrypting the passport is based on an asymmetric encryption process.

9. A computer system, comprising one or more processors, one or more memories, and one or more computer readable hardware storage devices, said one or more storage device containing program code executable by the one or more processors via the one or more memories to implement a method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:
- said one or more processors receiving from a deployer, a unit of deployment at a requestor module on a server,wherein the unit of deployment comprises the application code and a signed passport,wherein the passport comprises a heart-beat time-out interval, a firewall rule, and a first application hash value, andwherein a first hash function is used to generate the first application hash value;
  
  said one or more processors generating a trigger signal within the heart-beat time-out interval;
  
  said one or more processors authenticating the received passport;
  
  said one or more processors hashing the received application code, resulting in a second application hash value,wherein a second hash function is used to generate the second application hash value, andwherein the first hash function and the second hash function are a same hash function;
  
  said one or more processors validating that the received first application hash value and the second application hash value are equal; and
  
  in response to said authenticating and said validating, said one or more processors;
  
  receiving the passport and the trigger signal by a border control agent of the firewall from the requestor module within the heart-beat time-out interval,modifying a firewall in the firewall infrastructure according to the received firewall rule, andcommunicating with the application code through the modified firewall, else said one or more processors resetting the firewall rule in response to a determination that the trigger signal was not received by the border control agent within the heart-beat time-out interval.
- View Dependent Claims (10, 11)
- - 10. The computer system of claim 9, said method further comprising:
    - said one or more processors confirming on a regular basis within each of the heart-beat time-out intervals the firewall rule by the requester module of the server to the border control agent of the firewall.
  - 11. The computer system of claim 9, wherein an encryption used for encrypting the passport is based on an asymmetric encryption process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Frank, Joachim H., Karn, Holger
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/821,942
Publication Number

US 20170048198A1
Time in Patent Office

925 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G07C 9/20   involving the use of a pass

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 9/006   involving public key infras...

H04L 9/3268   using certificate validatio...

Passport-controlled firewall

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

11 Claims

Specification

Use Cases

Quick Links

Others

Passport-controlled firewall

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

11 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others