AUTOMATICALLY GENERATING RULES FOR CONNECTION SECURITY

US 20120054825A1
Filed: 11/08/2011
Published: 03/01/2012
Est. Priority Date: 07/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method performed by a processor executing computer-executable instructions stored in a memory of a computer system to create a firewall policy and a connection policy, the executed method further comprising:

providing a user interface through which a user can specify security rules relating to the firewall policy and the connection policy; and

automatically generating by the processor firewall rules and connection rules from the specified security rules, the security rules being higher level rules than the firewall rules and the connection rules, the generated firewall rules for input into a firewall engine and specifying addresses of computing devices that are authorized to send data to the computer system and the generated connection rules for input into an internet protocol security engine and specifying an authentication protocol for authenticating a computing device that sends data to the computer system and a confidentiality protocol and an integrity protocol for ensuring the confidentiality and integrity of data sent to the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules.

Citations

20 Claims

1. A method performed by a processor executing computer-executable instructions stored in a memory of a computer system to create a firewall policy and a connection policy, the executed method further comprising:
- providing a user interface through which a user can specify security rules relating to the firewall policy and the connection policy; and
  
  automatically generating by the processor firewall rules and connection rules from the specified security rules, the security rules being higher level rules than the firewall rules and the connection rules, the generated firewall rules for input into a firewall engine and specifying addresses of computing devices that are authorized to send data to the computer system and the generated connection rules for input into an internet protocol security engine and specifying an authentication protocol for authenticating a computing device that sends data to the computer system and a confidentiality protocol and an integrity protocol for ensuring the confidentiality and integrity of data sent to the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein a connection rule specifies behavior of the IP security protocol.
  - 3. The method of claim 1 wherein a connection rule specifies key exchange, data protection, and authentication associated with a connection.
  - 4. The method of claim 1 wherein a security rule specifies a condition and an action to take when the condition is satisfied and authentication and encryption behavior for data that satisfies the condition.
  - 5. The method of claim 1 wherein a firewall rule includes a condition and action to take when the condition is satisfied and the condition may be based on connection security information.
  - 6. The method of claim 1 wherein a user through the user interface can specify security suites for main mode and quick mode of an IP security protocol.
  - 7. The method of claim 3 wherein the security suites for main mode include an authentication method and a crypto suite.
  - 8. The method of claim 3 wherein the security suites for quick mode include a crypto suite.
  - 9. The method of claim 3 wherein a connection rule is automatically generated based on default security suites.

10. A computer-readable storage device storing computer-executable instructions for controlling a computer system to create a firewall policy and a connection policy, by a method comprising:
- providing security rules of a security policy of an enterprise; and
  
  automatically generating by the computer system firewall rules and connection rules from the provided security rules, the firewall rules and the connection rules being lower level rules than the security, the generated firewall rules for input into a firewall engine of enterprise computing devices and specifying addresses of computing devices that are authorized to send data to the enterprise computing devices and the generated connection rules for input into an internet protocol security engine of the enterprise computing devices and specifying an authentication protocol for authenticating a computing device that sends data to the enterprise computing devices.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer-readable storage device of claim 10 wherein the generated connect rules further specify a confidentiality protocol and an integrity protocol for ensuring the confidentiality and integrity of data sent to the enterprise computing devices.
  - 12. The computer-readable storage device of claim 10 including distributing the firewall rules and the connection rules to the enterprise computing devices to implement the security policy of the enterprise.
  - 13. The computer-readable storage device of claim 10 wherein outbound connection rules are automatically generated based on inbound connection rules so that the enterprise computing systems have matching inbound and outbound security suites.
  - 14. The computer-readable storage device of claim 10 wherein a connection rule specifies behavior of the IP security protocol.
  - 15. The computer-readable storage device of claim 10 wherein a connection rule specifies key exchange, data protection, and authentication associated with a connection.

16. A computer system that automatically generates a firewall policy and a connection policy based on a security policy with security rules, the security rules being higher level rules than the firewall rules and the connection rules, the computer system comprising:
- a memory storing computer-executable instructions of;
  
  a component that generates firewall rules from the specified security rules for input into a firewall engine of a target device, generated firewall rules specifying addresses of computing devices that are authorized to send data to the target computing device; and
  
  a component that generates connection rules from the security rules of the security policy for input into an internet protocol security engine of the target device, the generated connection rules specifying an authentication protocol for authenticating a computing device that sends data to the target computing device; and
  
  a processor that executes the computer-executable instructions stored in the memory.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer system of claim 16 wherein the connection rules further specify a confidentiality protocol and an integrity protocol for ensuring the confidentiality and integrity of data sent to the target computing device.
  - 18. The computer system of claim 16 wherein a connection rule specifies behavior of the IP security protocol.
  - 19. The computer system of claim 16 wherein a connection rule specifies key exchange, data protection, and authentication associated with a connection.
  - 20. The computer system of claim 16 wherein a security rule specifies a condition and an action to take when the condition is satisfied and authentication and encryption behavior for data that satisfies the condition and wherein a firewall rule includes a condition and action to take when the condition is satisfied and the condition may be based on connection security information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bassett, Charles D., Yariv, Eran, Carbaugh, Ian M., Koppolu, Lokesh Srinivas, Noy, Maksim, Wahlert, Sarah A., Bahl, Pradeep

Granted Patent

US 8,490,153 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/20 for managing network securi...

AUTOMATICALLY GENERATING RULES FOR CONNECTION SECURITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATICALLY GENERATING RULES FOR CONNECTION SECURITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links