Automatically configuring a computer firewall based on network connection
First Claim
Patent Images
1. A computerized method for automatically configuring a firewall operating within an individual computer comprising:
- determining a zone for a network address dynamically assigned to a network adapter in the individual computer; and
associating a security policy for the zone with the network adapter, the security policy specifying the firewall configuration to protect the individual computer;
wherein the security policy is defined by a policy file which includes a policy file data structure stored as an XML (extensible markup language) document;
wherein a security policy section of the policy file data structure includes an entry for each security policy that is identified by a policy identifier field and is associated with a network protocol that is identified by a protocol identifier field;
wherein the security policy section specifies filters for at least a portion of ports and services defined by the network protocol, and each port and service associated with the security policy is identified by an element identifier field, a field containing filter settings, and a log indicator field;
wherein at least one security policy is included for a TCP/IP network and includes a PPTP (point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a NetBIOS (network basic input/output system) service;
wherein a default setting for a high security policy on the TCP/IP network disallows incoming network traffic through the PPTP and ICMP ports, allows incoming network traffic through the RIP, DHCP, ARP and VPN ports, disallows access through the NetBIOS service to shared resources on the individual computer, and disallows the individual computer from using shared resources of other computers on the TCP/IP network, where incoming network traffic that attempts to access the individual computer using PPTP and NetBIOS is logged;
wherein a zone section of the policy file data structure includes an entry for each defined address zone and includes an identifier field, an address parameters field that defines the zone, and an identifier field for the security policy assigned to the zone;
wherein a default zone is defined by addresses that are outside another zone;
wherein the determining and associating is performed when the network address for the network adapter changes;
wherein the security policy associated with the network protocol is specific to the network protocol;
wherein the zone is defined by a set of network addresses, which comprises at least one address outside the zone;
wherein the network address dynamically assigned to the network adapter is determined by at least one of;
mapping an adapter registry identifier to an associated network address stored in an operating system registry;
monitoring network traffic at the network adapter and examining a predefined limited amount of the network traffic to determine the network address; and
receiving a network address from a network adapter device driver when the network adapter connects to the TCP/IP network.
3 Assignments
0 Petitions
Accused Products
Abstract
A firewall protecting a computer is automatically configured to a particular security policy based on an address assigned to a network adapter. A zone that contains the network address is determined and a security policy that is assigned to the zone is associated with the network adapter. The security policy specifies the configuration the firewall uses when handling network traffic between the adapter and the network corresponding to the address. In another aspect, the address assigned to the network adapter is also determined.
106 Citations
24 Claims
-
1. A computerized method for automatically configuring a firewall operating within an individual computer comprising:
-
determining a zone for a network address dynamically assigned to a network adapter in the individual computer; and associating a security policy for the zone with the network adapter, the security policy specifying the firewall configuration to protect the individual computer; wherein the security policy is defined by a policy file which includes a policy file data structure stored as an XML (extensible markup language) document; wherein a security policy section of the policy file data structure includes an entry for each security policy that is identified by a policy identifier field and is associated with a network protocol that is identified by a protocol identifier field; wherein the security policy section specifies filters for at least a portion of ports and services defined by the network protocol, and each port and service associated with the security policy is identified by an element identifier field, a field containing filter settings, and a log indicator field; wherein at least one security policy is included for a TCP/IP network and includes a PPTP (point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a NetBIOS (network basic input/output system) service; wherein a default setting for a high security policy on the TCP/IP network disallows incoming network traffic through the PPTP and ICMP ports, allows incoming network traffic through the RIP, DHCP, ARP and VPN ports, disallows access through the NetBIOS service to shared resources on the individual computer, and disallows the individual computer from using shared resources of other computers on the TCP/IP network, where incoming network traffic that attempts to access the individual computer using PPTP and NetBIOS is logged; wherein a zone section of the policy file data structure includes an entry for each defined address zone and includes an identifier field, an address parameters field that defines the zone, and an identifier field for the security policy assigned to the zone; wherein a default zone is defined by addresses that are outside another zone; wherein the determining and associating is performed when the network address for the network adapter changes; wherein the security policy associated with the network protocol is specific to the network protocol; wherein the zone is defined by a set of network addresses, which comprises at least one address outside the zone; wherein the network address dynamically assigned to the network adapter is determined by at least one of; mapping an adapter registry identifier to an associated network address stored in an operating system registry; monitoring network traffic at the network adapter and examining a predefined limited amount of the network traffic to determine the network address; and receiving a network address from a network adapter device driver when the network adapter connects to the TCP/IP network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A storage device storing computer-executable instructions to automatically configure a firewall operating within an individual computer comprising:
- determining a zone for a network address assigned dynamically to a network adapter in the individual computer;
defining the zone based on a set of network addresses including at least one address outside the zone; and
associating a security policy for the zone with the network adapter, the security policy specifying the firewall configuration to protect the individual computer;
wherein the security policy is defined by a policy file which includes a policy file data structure stored as an XML (extensible markup language) document;
wherein a security policy section of the policy file data structure includes an entry for each security policy that is identified by a policy identifier field and is associated with a network protocol that is identified by a protocol identifier field;
wherein the security policy section specifies filters for at least a portion of ports and services defined by the network protocol, and each port and service associated with the security policy is identified by an element identifier field, a field contained filter settings, and a log indicator field;
wherein at least one security policy is included for a TCP/IP network and includes a PPTP (point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a NetBIOS (network basic input/output system) service;
wherein a default setting for a high security policy on the TCP/IP network disallows incoming network traffic through the PPTP and ICMP ports, allows incoming network traffic through the RIP, DHCP, ARP and VPN ports, disallows access through the NetBIOS service to shared resources on the individual computer, and disallows the individual computer from using shared resources of other computers on the TCP/IP network where incoming network traffic that attempts to access the individual computer using PPTP and NetBIOS is logged;
wherein a zone section of the policy file data structure includes an entry for each defined address zone and includes an identifier field, an address parameters field that defines the zone, and an identifier field for the security policy assigned to the zone;
wherein a default zone is defined by addresses that are outside another zone;
wherein the determining and associating is performed when the network address for the network adapter changes;
wherein the security policy associated with the network protocol is specific to the network protocol;
wherein the network address dynamically assigned to the network adapter is determined by at least one of;
mapping an adapter registry identifier to an associated network address stored in an operating system registry;
monitoring network traffic at the network adapter and examining a predefined limited amount of the network traffic to determine the network address; and
receiving a network address from a network adapter device driver when the network adapter connects to the TCP/IP network. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- determining a zone for a network address assigned dynamically to a network adapter in the individual computer;
-
17. A computerized system comprising:
-
a processing unit; a memory coupled to the processing unit through a bus; a network adapter coupled to the processing unit through the bus and further operable for coupling to a network; a firewall process executed from the memory by the processing unit to protect the computerized system when the network adapter is coupled to a network by causing the processing unit to filter data addressed to the network adapter according to a security policy; and a firewall configuration process executed from the memory by the processing unit to cause the processing unit to determine a zone for a network address dynamically assigned to the network adapter and to associate a firewall security policy for the zone with the network adapter; wherein the security policy is defined by a policy file which includes a policy file data structure stored as an XML (extensible markup language) document; wherein a security policy section of the policy file data structure includes an entry for each security policy that is identified by a policy identifier field and is associated with a network protocol that is identified by a protocol identifier field; mapping an adapter registry identifier to an associated network address stored in an operating system registry; monitoring network traffic at the network adapter and examining a predefined limited amount of the network traffic to determine the network address; and receiving a network address from a network adapter device driver when the network adapter connects to the TCP/IP network. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification