Passport-controlled firewall
First Claim
1. A method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:
- receiving from a deployer, by one or more processors, a unit of deployment at a requestor module on a server,wherein the unit of deployment comprises the application code and a signed passport,wherein the passport comprises a heart-beat time-out interval, a firewall rule, and a first application hash value, andwherein a first hash function is used to generate the first application hash value;
said one or more processors generating a trigger signal within the heart-beat time-out interval;
said one or more processors authenticating the received passport;
said one or more processors hashing the received application code, resulting in a second application hash value,wherein a second hash function is used to generate the second application hash value, andwherein the first hash function and the second hash function are a same hash function;
said one or more processors validating that the received first application hash value and the second application hash value are equal; and
in response to said authenticating and said validating, said one or more processors;
receiving the passport and the trigger signal by a border control agent of the firewall from the requestor module within the heart-beat time-out interval,modifying a firewall in the firewall infrastructure according to the received firewall rule; and
communicating with the application code through the modified firewall, else said one or more processors resetting the firewall rule in response to a determination that the trigger signal was not received by the border control agent within the heart-beat time-out interval.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, and associated system and computer program product, for dynamically modifying rules in a firewall infrastructure. A unit of deployment is received at a requestor module at a server. The unit of deployment includes the application code and a signed passport. The passport includes a firewall rule and a first application hash value. The received passport is authenticated, the received application code is hashed resulting in a second application hash value, and it is validated that the received first application hash value and the generated application hash value are equal. In response to the validation, the passport is received by a border control agent of the firewall from the server, a firewall is modified in the firewall infrastructure according to the received firewall rule, and communicating with the application is enabled through the modified firewall.
28 Citations
11 Claims
-
1. A method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:
-
receiving from a deployer, by one or more processors, a unit of deployment at a requestor module on a server, wherein the unit of deployment comprises the application code and a signed passport, wherein the passport comprises a heart-beat time-out interval, a firewall rule, and a first application hash value, and wherein a first hash function is used to generate the first application hash value; said one or more processors generating a trigger signal within the heart-beat time-out interval; said one or more processors authenticating the received passport; said one or more processors hashing the received application code, resulting in a second application hash value, wherein a second hash function is used to generate the second application hash value, and wherein the first hash function and the second hash function are a same hash function; said one or more processors validating that the received first application hash value and the second application hash value are equal; and in response to said authenticating and said validating, said one or more processors; receiving the passport and the trigger signal by a border control agent of the firewall from the requestor module within the heart-beat time-out interval, modifying a firewall in the firewall infrastructure according to the received firewall rule; and communicating with the application code through the modified firewall, else said one or more processors resetting the firewall rule in response to a determination that the trigger signal was not received by the border control agent within the heart-beat time-out interval. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer program product, comprising one or more computer readable hardware storage devices having computer readable program code stored therein, said program code containing instructions executable by one or more processors to implement a method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:
-
said one or more processors receiving from a deployer, a unit of deployment at a requestor module on a server, wherein the unit of deployment comprises the application code and a signed passport, wherein the passport comprises a heart-beat time-out interval, a firewall rule, and a first application hash value and wherein a first hash function is used to generate the first application hash value; said one or more processors generating a trigger signal within the heart-beat time-out interval; said one or more processors authenticating the received passport; said one or more processors hashing the received application code, resulting in a second application hash value, wherein a second hash function is used to generate the second application hash value, and wherein the first hash function and the second hash function are a same hash function; said one or more processors validating that the received first application hash value and the second application hash value are equal; and in response to said authenticating and said validating, said one or more processors; receiving the passport and the trigger signal by a border control agent of the firewall from the requestor module within the heart-beat time-out interval, modifying a firewall in the firewall infrastructure according to the received firewall rule, and communicating with the application code through the modified firewall, else said one or more processors resetting the firewall rule in response to a determination that the trigger signal was not received by the border control agent within the heart-beat time-out interval. - View Dependent Claims (7, 8)
-
-
9. A computer system, comprising one or more processors, one or more memories, and one or more computer readable hardware storage devices, said one or more storage device containing program code executable by the one or more processors via the one or more memories to implement a method for dynamically modifying rules in a firewall infrastructure for an application code, said method comprising:
-
said one or more processors receiving from a deployer, a unit of deployment at a requestor module on a server, wherein the unit of deployment comprises the application code and a signed passport, wherein the passport comprises a heart-beat time-out interval, a firewall rule, and a first application hash value, and wherein a first hash function is used to generate the first application hash value; said one or more processors generating a trigger signal within the heart-beat time-out interval; said one or more processors authenticating the received passport; said one or more processors hashing the received application code, resulting in a second application hash value, wherein a second hash function is used to generate the second application hash value, and wherein the first hash function and the second hash function are a same hash function; said one or more processors validating that the received first application hash value and the second application hash value are equal; and in response to said authenticating and said validating, said one or more processors; receiving the passport and the trigger signal by a border control agent of the firewall from the requestor module within the heart-beat time-out interval, modifying a firewall in the firewall infrastructure according to the received firewall rule, and communicating with the application code through the modified firewall, else said one or more processors resetting the firewall rule in response to a determination that the trigger signal was not received by the border control agent within the heart-beat time-out interval. - View Dependent Claims (10, 11)
-
Specification