Generalized security policy management system and method

US 5,950,195 A
Filed: 09/18/1996
Issued: 09/07/1999
Est. Priority Date: 09/18/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method of regulating the flow of internetwork connections through a firewall having a network protocol stack, wherein the network protocol stack includes an Internet Protocol (IP) layer, the method comprising the steps of:

determining parameters characteristic of a connection request, wherein the parameters include a netelement parameter characteristic of where the connection request came from;

generating a query, wherein the step of generating a query includes the step of adding the parameters to a query list;

determining if there is a rule corresponding to the query;

if there is a rule, determining if authentication is required by the rule;

if authentication is required by the rule, executing an authentication protocol; and

activating the connection if the authentication protocol is completed successfully.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for regulating the flow of internetwork connections through a firewall having a network protocol stack which includes an Internet Protocol (IP) layer. A determination is made of the parameters characteristic of a connection request, including a netelement parameter characteristic of where the connection request came from. A query is generated and a determination is made whether there is a rule corresponding to that query. If there is a rule corresponding to the query, a determination is made whether authentication is required by the rule. If authentication is required by the rule, an authentication protocol is activated and the connection is activated if the authentication protocol is completed successfully.

550 Citations

19 Claims

1. A method of regulating the flow of internetwork connections through a firewall having a network protocol stack, wherein the network protocol stack includes an Internet Protocol (IP) layer, the method comprising the steps of:
- determining parameters characteristic of a connection request, wherein the parameters include a netelement parameter characteristic of where the connection request came from;
  
  generating a query, wherein the step of generating a query includes the step of adding the parameters to a query list;
  
  determining if there is a rule corresponding to the query;
  
  if there is a rule, determining if authentication is required by the rule;
  
  if authentication is required by the rule, executing an authentication protocol; and
  
  activating the connection if the authentication protocol is completed successfully.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1 wherein the step of executing an authentication protocol includes the step of calling a warder.
  - 3. The method according to claim 1 wherein the step of determining if there is a rule corresponding to the query includes the step of accessing a relational database with the query.
  - 4. The method according to claim 1 wherein the netelement parameter identifies a group of host names.
  - 5. The method according to claim 1 wherein the netelement parameter identifies a group of IP addresses.
  - 6. The method according to claim 1 wherein the netelement parameter identifies a group of subnets.
  - 7. The method according to claim 1 wherein the netelement parameter identifies a group of netgroups, wherein a netgroup is a collection of netelements.
  - 8. The method according to claim 1 wherein the netelement parameter identifies a group of DNS domains.

9. A method of regulating the flow of internetwork connections through a firewall having a network protocol stack, wherein the network protocol stack includes an Internet Protocol (IP) layer, the method comprising the steps of:
- forming an access control list, wherein the access control list includes a plurality of rules, wherein each rule includes a plurality of rule parameters and values associated with said rule parameters;
  
  determining query parameters characteristic of a connection request, wherein said query parameters include a netelement parameter characteristic of where the connection request came from;
  
  generating a query, wherein the step of generating a query includes the step of adding the query parameters to a query list;
  
  applying the query to the access control list, wherein the step of applying includes the step of determining if there is a rule corresponding to the query;
  
  if there is a rule, determining if authentication is required by the rule;
  
  if authentication is required by the rule, executing an authentication protocol; and
  
  activating the connection is the authentication protocol is completed successfully.
- View Dependent Claims (10, 11)
- - 10. The method according to claim 9, wherein the method further comprises the steps of:
    - monitoring time of day; and
      
      closing connections at predefined times of the day.
  - 11. The method according to claim 9, wherein the query parameters include a URL parameter.

12. A firewall, comprising:
- a first communications interface;
  
  a second communications interface;
  
  a first network protocol stack connected to the first communications interface, wherein the first network protocol stack includes an Internet Protocol (IP) layer and a transport layer;
  
  a second network protocol stack connected to the second communications interface, wherein the second network protocol stack includes an Internet Protocol (IP) layer and a transport layer, wherein communication between the first and second communications interfaces passes through a proxy operably coupled to the protocol stacks and communication is otherwise restricted between the protocol stacks;
  
  an access control list process, wherein the access control list process accesses a plurality of rules implementing a security policy; and
  
  an agent, connected to the access control list process and to the transport layers of said first and second network protocol stacks, wherein the agent receives messages from the transport layer, sends the access control list process a query based on parameters associated with the message and executes an authentication protocol selected by the access control list process as a result of the query.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The firewall according to claim 12 wherein the first network protocol stack and the first communications interface are assigned to a first burb and the second network protocol stack and the second communications interface are assigned to a second burb.
  - 14. The firewall according to claim 13 wherein the query includes a burb symbol identifying the first burb and wherein the authentication protocol selected by the access control list process varies as a function of the burb symbol.
  - 15. The firewall according to claim 12 wherein the query includes a sender symbol identifying the sender of the message and wherein the authentication protocol selected by the access control list process varies as a function of the sender symbol.
  - 16. The firewall according to claim 12 wherein the first network protocol stack includes a decryption process, operating at the IP layer, that decrypts encrypted messages received by said first communications interface and forwards the decrypted message to the agent via the transport layer.
  - 17. The firewall according to claim 12 wherein the authentication protocol selected by the access control list process varies as a function of whether a message was encrypted or not when received by the IP layer.

18. A computer program product, comprising:
- a computer usable medium having computer readable program code embodied thereon, the computer readable program code, when executed, implementing on the computer a method of regulating the flow of internetwork connections through a firewall having a network protocol stack, wherein the network protocol stack includes an Internet Protocol (IP) layer, the method comprising the steps of;
  
  determining parameters characteristic of a connection request, wherein the parameters include a netelement parameter characteristic of where the connection request came from;
  
  generating a query, wherein the step of generating a query includes the step of adding the parameters to a query list;
  
  determining if there is a rule corresponding to the query;
  
  if there is a rule, determining if authentication is required by the rule;
  
  if authentication is required by the rule, executing an authentication protocol; and
  
  activating the connection if the authentication protocol is completed successfully.
- View Dependent Claims (19)
- - 19. The computer program product according to claim 18, wherein the step of executing an authentication protocol includes the step of calling a warder.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Klietz, Alan E., Stockwell, Edward B.
Primary Examiner(s)
Black, Thomas G.
Assistant Examiner(s)
LEWIS, CHERYL RENEA

Application Number

US08/715,668
Time in Patent Office

1,084 Days
Field of Search

380/25, 380/23, 395/615, 395/187.01, 395/206.12, 707/3, 707/4, 707/100, 707/102, 707/103, 707/104, 707/513
US Class Current

1/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 69/16   Implementation or adaptatio...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99934   Query formulation, input pr...

Y10S 707/99943   Generating database or data...

Y10S 707/99945   Object-oriented database st...

Generalized security policy management system and method

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

550 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Generalized security policy management system and method

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

550 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links