Protecting network devices by a firewall

US 10,412,048 B2
Filed: 04/14/2017
Issued: 09/10/2019
Est. Priority Date: 02/08/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by a first computer system implementing a first gateway to a private network, a connection request from a client device, wherein the private network comprises one or more network devices;

after receiving the connection request, receiving, by the first computer system, a client access list indicating those of the network devices in the private network that are allowed to communicate with the client device;

starting, on the first computer system, a firewall service for a first network tunnel between the client device and the first gateway;

deriving, by the first computer system, a set of firewall rules from the client access list; and

applying, by the firewall service, the set of firewall rules to selectively block and allow network traffic between the client device and the one or more network devices in the private network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods provide for management of a gateway. In one embodiment, a method includes: in response to a request from a client device, establishing, by a computer system implementing a gateway to a private network, a network tunnel between the client device and the gateway; and starting a firewall service with a set of firewall rules on the computer system for selectively blocking and allowing network traffic between the client device and one or more network devices in the private network.

174 Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, by a first computer system implementing a first gateway to a private network, a connection request from a client device, wherein the private network comprises one or more network devices;
  
  after receiving the connection request, receiving, by the first computer system, a client access list indicating those of the network devices in the private network that are allowed to communicate with the client device;
  
  starting, on the first computer system, a firewall service for a first network tunnel between the client device and the first gateway;
  
  deriving, by the first computer system, a set of firewall rules from the client access list; and
  
  applying, by the firewall service, the set of firewall rules to selectively block and allow network traffic between the client device and the one or more network devices in the private network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the client access list comprises a script, and the method further comprises executing, by the first computer system, the script to obtain a list of IP addresses, and updating the set of firewall rules based on the obtained list of IP addresses.
  - 3. The method of claim 1, wherein the client access list comprises a script, and the method further comprises:
    - after starting the firewall service, executing the script to retrieve IP addresses or ports;
      
      adding the retrieved IP addresses or ports to the client access list;
      
      after adding the obtained IP addresses or ports to the client access list, deriving, using the client access list, one or more new firewall rules; and
      
      applying, by the firewall service, the new firewall rules for the first network tunnel.
  - 4. The method of claim 3, wherein the script queries a second computer system to retrieve the IP addresses or ports.
  - 5. The method of claim 4, wherein the script is Javascript, the script is further configured to make a connection, using a REST API or a database query, to the second computer system to retrieve a list of destinations, and the list of destinations comprises the IP addresses or ports.
  - 6. The method of claim 1, wherein the client access list comprises a first access rule, and the first access rule includes a host or domain name as a destination.
  - 7. The method of claim 6, wherein:
    - the deriving further comprises translating the host or domain name into a network address used in a first firewall rule; and
      
      the host or domain name is further translated into a network address used in a second firewall rule.
  - 8. The method of claim 1, wherein the client access list is received from at least one of the client device, or an authentication service on a second computer system.
  - 9. The method of claim 1, wherein the deriving the set of firewall rules is performed by a management module of the first computer system, and the method further comprises retrieving the set of firewall rules from the management module.
  - 10. The method of claim 1, wherein the client access list comprises a first access rule, the first access rule includes a description, the deriving the set of firewall rules comprises translating the description into a plurality of destination addresses, and each of the set of firewall rules uses a respective one of the destination addresses.
  - 11. The method of claim 10, wherein the description is a domain name.
  - 12. The method of claim 1, wherein the client access list comprises a first access rule including a script.
  - 13. The method of claim 12, further comprising:
    - executing, by the first computer system, the script to query a remote computer system;
      
      receiving, from the remote computer system in response to the querying, a list of network addresses;
      
      updating the client access list by adding the list of network addresses; and
      
      updating, based on the updated client access list, the set of firewall rules.
  - 14. The method of claim 1, wherein:
    - the client access list comprises a first access rule that is a call to a web service being provided by a second computer system;
      
      the client access list further comprises at least one access rule allowing traffic to all destination addresses of those access rules in the client list that have a predetermined text string in their respective description; and
      
      the method further comprises receiving, from the second computer system in reply to the call to the web service, a list of network devices using an API according to metadata assigned to virtual instances in a cloud.
  - 15. The method of claim 1, wherein:
    - the client access list comprises a first access rule that identifies a first network device of the private network by specifying a service of a second computer system that can access the first network device; and
      
      the service is a web service that enables retrieval of a list of network devices.
  - 16. The method of claim 1, further comprising retrieving the client access list from an authentication service that manages access to network devices in the private network.
  - 17. The method of claim 1, wherein the client access list comprises a first access rule identifying a network device by a name, and deriving the set of firewall rules comprises translating the first access rule into multiple firewall rules.
  - 18. The method of claim 17, wherein the name is a host name or a domain name.

19. A system, comprising:
- at least one processor; and
  
  memory storing instructions configured to instruct the at least one processor to;
  
  receive, by a first computer system implementing a first gateway to a private network, a connection request from a client device, wherein the private network comprises one or more network devices;
  
  after receiving the connection request, receive, by the first computer system, a client access list indicating those of the network devices in the private network that are allowed to communicate with the client device;
  
  start, on the first computer system, a firewall service for a first network tunnel between the client device and the first gateway;
  
  derive, by the first computer system, a set of firewall rules from the client access list; and
  
  apply, by the firewall service, the set of firewall rules to selectively block and allow network traffic between the client device and the one or more network devices in the private network.

20. A non-transitory computer readable storage medium storing computer-readable instructions, which when executed, cause a first computer system implementing a first gateway to a private network to at least:
- receive, by the first computer system, a connection request from a client device, wherein the private network comprises one or more network devices;
  
  after receiving the connection request, receive, by the first computer system, a client access list indicating those of the network devices in the private network that are allowed to communicate with the client device;
  
  start, on the first computer system, a firewall service for a first network tunnel between the client device and the first gateway;
  
  derive, by the first computer system, a set of firewall rules from the client access list; and
  
  apply, by the firewall service, the set of firewall rules to selectively block and allow network traffic between the client device and the one or more network devices in the private network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cryptzone North America Inc. (Cryptzone Group AB)
Original Assignee
Cryptzone North America Inc. (Cryptzone Group AB)
Inventors
Glazemakers, Kurt, Allansson, Per Johan, Cellerier, Thomas Bruno Emmanuel, Valianos, Kosmas, Weber, Tom Viljo
Primary Examiner(s)
Kim, Tae K

Application Number

US15/488,132
Publication Number

US 20170230333A1
Time in Patent Office

879 Days
Field of Search
US Class Current
CPC Class Codes

H04L 47/70   Admission control; Resource...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/101   Access control lists [ACL]

Protecting network devices by a firewall

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

174 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting network devices by a firewall

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links