Multilayer firewall system
First Claim
1. A system providing multiple protocol layer security in a network including nodes of a plurality of network device types, with nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node in the network, comprising:
- a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes in the network;
a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network; and
a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes, wherein the security functions operating in the plurality of network device types across multiple protocol layers are coordinated by the security policy so that particular device types enforce the part of the security policy pertinent to the associated part of the network.
6 Assignments
0 Petitions
Accused Products
Abstract
A system provides for establishing security in a network that include nodes having security functions operating in multiple protocol layers. Multiple network devices, such as remote access equipment, routers, switches, repeaters and network cards having security functions are configured to contribute to implementation of distributed firewall functions in the network. By distributing firewall functionality throughout many layers of the network in a variety of network devices, a pervasive firewall is implemented. The pervasive, multilayer firewall includes a policy definition component that accepts policy data that defines how the firewall should behave. The policy definition component can be a centralized component, or a component that is distributed over the network. The multilayer firewall also includes a collection of network devices that are used to enforce the defined policy. The security functions operating in this collection of network devices across multiple protocol layers are coordinated by the policy definition component so that particular devices enforce that part of the policy pertinent to their part of the network.
1110 Citations
70 Claims
-
1. A system providing multiple protocol layer security in a network including nodes of a plurality of network device types, with nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node in the network, comprising:
-
a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes in the network; a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network; and a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes, wherein the security functions operating in the plurality of network device types across multiple protocol layers are coordinated by the security policy so that particular device types enforce the part of the security policy pertinent to the associated part of the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 23)
-
-
21. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node, comprising:
-
a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes, wherein the topology data store includes data indicating nodes coupled to network links to nodes external to the set of nodes, active nodes in the network capable of enforcing a security policy and passive nodes which are incapable of enforcing, or not trusted to enforce, a security policy; and wherein the security policy statements indicate security policies for active nodes, passive nodes, and for communications traversing network links to nodes external to the set of the nodes in the network; a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network; and a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes.
-
-
22. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node, comprising:
-
a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes, wherein the topology data store includes data indicating active nodes capable for enforcing a security policy and passive nodes which are incapable of enforcing, or not trusted to enforce, a security policy; a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network; and a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes. - View Dependent Claims (24)
-
-
25. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node, comprising:
-
a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes; a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network, wherein the configuration interface includes a script interpreter which interprets a script language to determine the security policy statements, wherein the script language includes a syntax for specifying a security policy statement including a source set identifier, a destination identifier, a communication activity identifier, and a rule for the identified communication activity between the identified source set and the identified destination set; and a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality configuration data to the network, and which conveys the configuration data to the nodes, wherein the configuration driver includes resources to identify security policy statements which cannot be enforced according to the data in the topology data store.
-
-
26. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node, comprising:
-
a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes, wherein the topology data store includes data structures providing information for particular nodes, including network layer addresses, medium access control MAC layer addresses, user identifiers, whether or not the particular node is trusted to enforce security policy, the type of security policy it is able to enforce, and its connections to other nodes; a configuration interface, coupled to the topology data store including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network; and a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes.
-
-
27. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node, comprising:
-
a topology data store, storing information about security functions operating in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes; a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented among nodes in the network, wherein the security policy statements indicate security policies for communication between a source set including one or more end stations in the network, and a destination set including one or more end stations in the network, and wherein the configuration driver includes resources to identify a cut vertex set of nodes capable of enforcing the indicated security policies within the set of nodes in the network, and to establish the configuration data in the nodes in the cut vertex set; and a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for the plurality of types of nodes in the network, and which conveys the configuration data to the nodes. - View Dependent Claims (28)
-
-
29. A system providing security in a network including nodes of a plurality of types, nodes in a set of the nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node in the network, comprising:
-
a topology data store, storing information about security functions in the set of the nodes in the network, and about interconnection of nodes in the set of the nodes in the network, the topology data store including data structures providing information for particular nodes, including addresses at one or more protocol layers, whether or not the particular node is trusted to enforce security policy, the type of security policy the particular node is able to enforce, and connections of the particular node to other nodes; a configuration interface, coupled to the topology data store, including an input by which to receive security policy statements indicating security policies to be implemented between source sets of one or more end stations and destination sets of one or more end stations in the network, including a script interpreter which interprets a script language to determine the security policy statements, and the script language includes a syntax for specifying a security policy statement including a source set identifier, a destination set identifier, a communication activity identifier, and a rule for the identified communication activity between the identified source set and the identified destination set; and a configuration driver, coupled to the network, the configuration interface, and the topology data store, including resources which translate the security policy statements into configuration data for various types of nodes in the network, and which send the configuration data to the nodes. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A method for establishing a firewall system in a network including a set of nodes of a plurality of types, nodes in the set of nodes in the network including security functions executing in response to configuration data adapted for the corresponding node, comprising:
-
providing topology data including information about security functions operating in nodes in the set, and about interconnection of nodes in the set, providing security policy statements indicating security policies to be implemented among end systems in the set; translating, in response to the topology data, the security policy statements into configuration data for security functions operating at nodes in the set; and establishing the configuration data in the security functions at the nodes in the network; wherein the topology data includes data structures providing information for particular nodes, including addresses at one or more protocol layers, whether or not the particular node is trusted to enforce security policy, the type of security policy the particular node is able to enforce, and connections of the particular node to other nodes. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62)
-
-
63. A method for establishing a firewall system in a network including a set of nodes of a plurality of types, nodes in the set of nodes in the network including security functions executing in response to configuration data adapted for the corresponding type of node in the network, comprising:
-
providing topology data including information about security functions operating in nodes in the set, and about interconnection of nodes in the set; providing security policy statements indicating security policies to be implemented between a source set of end stations and a destination set of end stations in the set; identifying, in response to the topology data and the security policy statements, a cut vertex set of nodes consisting of nodes capable of enforcing the security policy statements, and which if removed from the network would isolate the source set from the destination set; translating, in response to the identified cut vertex set and the security policy statements, into configuration data for security functions operating at nodes in the cut vertex set; and establishing the configuration data in the security functions at the nodes in the cut vertex set. - View Dependent Claims (64, 65, 66, 67, 68, 69, 70)
-
Specification