Automatically configuring a computer firewall based on network connection

US 7,284,267 B1
Filed: 03/08/2001
Issued: 10/16/2007
Est. Priority Date: 03/08/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A computerized method for automatically configuring a firewall operating within an individual computer comprising:

determining a zone for a network address dynamically assigned to a network adapter in the individual computer; and

associating a security policy for the zone with the network adapter, the security policy specifying the firewall configuration to protect the individual computer;

wherein the security policy is defined by a policy file which includes a policy file data structure stored as an XML (extensible markup language) document;

wherein a security policy section of the policy file data structure includes an entry for each security policy that is identified by a policy identifier field and is associated with a network protocol that is identified by a protocol identifier field;

wherein the security policy section specifies filters for at least a portion of ports and services defined by the network protocol, and each port and service associated with the security policy is identified by an element identifier field, a field containing filter settings, and a log indicator field;

wherein at least one security policy is included for a TCP/IP network and includes a PPTP (point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a NetBIOS (network basic input/output system) service;

wherein a default setting for a high security policy on the TCP/IP network disallows incoming network traffic through the PPTP and ICMP ports, allows incoming network traffic through the RIP, DHCP, ARP and VPN ports, disallows access through the NetBIOS service to shared resources on the individual computer, and disallows the individual computer from using shared resources of other computers on the TCP/IP network, where incoming network traffic that attempts to access the individual computer using PPTP and NetBIOS is logged;

wherein a zone section of the policy file data structure includes an entry for each defined address zone and includes an identifier field, an address parameters field that defines the zone, and an identifier field for the security policy assigned to the zone;

wherein a default zone is defined by addresses that are outside another zone;

wherein the determining and associating is performed when the network address for the network adapter changes;

wherein the security policy associated with the network protocol is specific to the network protocol;

wherein the zone is defined by a set of network addresses, which comprises at least one address outside the zone;

wherein the network address dynamically assigned to the network adapter is determined by at least one of;

mapping an adapter registry identifier to an associated network address stored in an operating system registry;

monitoring network traffic at the network adapter and examining a predefined limited amount of the network traffic to determine the network address; and

receiving a network address from a network adapter device driver when the network adapter connects to the TCP/IP network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall protecting a computer is automatically configured to a particular security policy based on an address assigned to a network adapter. A zone that contains the network address is determined and a security policy that is assigned to the zone is associated with the network adapter. The security policy specifies the configuration the firewall uses when handling network traffic between the adapter and the network corresponding to the address. In another aspect, the address assigned to the network adapter is also determined.

106 Citations

View as Search Results

24 Claims

1. A computerized method for automatically configuring a firewall operating within an individual computer comprising:
- determining a zone for a network address dynamically assigned to a network adapter in the individual computer; and
  
  associating a security policy for the zone with the network adapter, the security policy specifying the firewall configuration to protect the individual computer;
  
  wherein the security policy is defined by a policy file which includes a policy file data structure stored as an XML (extensible markup language) document;
  
  wherein a security policy section of the policy file data structure includes an entry for each security policy that is identified by a policy identifier field and is associated with a network protocol that is identified by a protocol identifier field;
  
  wherein the security policy section specifies filters for at least a portion of ports and services defined by the network protocol, and each port and service associated with the security policy is identified by an element identifier field, a field containing filter settings, and a log indicator field;
  
  wherein at least one security policy is included for a TCP/IP network and includes a PPTP (point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a NetBIOS (network basic input/output system) service;
  
  wherein a default setting for a high security policy on the TCP/IP network disallows incoming network traffic through the PPTP and ICMP ports, allows incoming network traffic through the RIP, DHCP, ARP and VPN ports, disallows access through the NetBIOS service to shared resources on the individual computer, and disallows the individual computer from using shared resources of other computers on the TCP/IP network, where incoming network traffic that attempts to access the individual computer using PPTP and NetBIOS is logged;
  
  wherein a zone section of the policy file data structure includes an entry for each defined address zone and includes an identifier field, an address parameters field that defines the zone, and an identifier field for the security policy assigned to the zone;
  
  wherein a default zone is defined by addresses that are outside another zone;
  
  wherein the determining and associating is performed when the network address for the network adapter changes;
  
  wherein the security policy associated with the network protocol is specific to the network protocol;
  
  wherein the zone is defined by a set of network addresses, which comprises at least one address outside the zone;
  
  wherein the network address dynamically assigned to the network adapter is determined by at least one of;
  
  mapping an adapter registry identifier to an associated network address stored in an operating system registry;
  
  monitoring network traffic at the network adapter and examining a predefined limited amount of the network traffic to determine the network address; and
  
  receiving a network address from a network adapter device driver when the network adapter connects to the TCP/IP network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computerized method of claim 1 further comprising:
    - determining the network address assigned to the network adapter.
  - 3. The computerized method of claim 1, wherein the set of network addresses comprises at least one address within the zone.
  - 4. The computerized method of claim 1 further comprising:
    - assigning the security policy to the zone.
  - 5. The computerized method of claim 1 further comprising:
    - retrieving the policy file that contains definitions for the zone and the security policy and specifies that the security policy is assigned to the zone.
  - 6. The computerized method of claim 5 further comprising:
    - creating the policy file from data input by a user.
  - 7. The computerized method of claim 5 further comprising:
    - creating the policy file from data input by an administrator.
  - 8. The computerized method of claim 5 further comprising:
    - receiving data from a predetermined location on the network through the network adapter; and
      
      creating the policy file from the data.

9. A storage device storing computer-executable instructions to automatically configure a firewall operating within an individual computer comprising:
- determining a zone for a network address assigned dynamically to a network adapter in the individual computer;
  
  defining the zone based on a set of network addresses including at least one address outside the zone; and
  
  associating a security policy for the zone with the network adapter, the security policy specifying the firewall configuration to protect the individual computer;
  
  wherein the security policy is defined by a policy file which includes a policy file data structure stored as an XML (extensible markup language) document;
  
  wherein a security policy section of the policy file data structure includes an entry for each security policy that is identified by a policy identifier field and is associated with a network protocol that is identified by a protocol identifier field;
  
  wherein the security policy section specifies filters for at least a portion of ports and services defined by the network protocol, and each port and service associated with the security policy is identified by an element identifier field, a field contained filter settings, and a log indicator field;
  
  wherein at least one security policy is included for a TCP/IP network and includes a PPTP (point-to-point tunneling protocol), a RIP (routing information protocol), a DHCP (dynamic host configuration protocol), an ARP (address resolution protocol), an Ident (identification protocol), ICMP (internet control message protocol) and VPN (virtual private networking) ports, and a NetBIOS (network basic input/output system) service;
  
  wherein a default setting for a high security policy on the TCP/IP network disallows incoming network traffic through the PPTP and ICMP ports, allows incoming network traffic through the RIP, DHCP, ARP and VPN ports, disallows access through the NetBIOS service to shared resources on the individual computer, and disallows the individual computer from using shared resources of other computers on the TCP/IP network where incoming network traffic that attempts to access the individual computer using PPTP and NetBIOS is logged;
  
  wherein a zone section of the policy file data structure includes an entry for each defined address zone and includes an identifier field, an address parameters field that defines the zone, and an identifier field for the security policy assigned to the zone;
  
  wherein a default zone is defined by addresses that are outside another zone;
  
  wherein the determining and associating is performed when the network address for the network adapter changes;
  
  wherein the security policy associated with the network protocol is specific to the network protocol;
  
  wherein the network address dynamically assigned to the network adapter is determined by at least one of;
  
  mapping an adapter registry identifier to an associated network address stored in an operating system registry;
  
  monitoring network traffic at the network adapter and examining a predefined limited amount of the network traffic to determine the network address; and
  
  receiving a network address from a network adapter device driver when the network adapter connects to the TCP/IP network.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The storage device of claim 9 storing further computer-readable instructions comprising:
    - determining the network address assigned to the network adapter.
  - 11. The storage device of claim 9 storing further computer-readable instructions comprising:
    - assigning the security policy to the zone.
  - 12. The storage device of claim 9 storing further computer-readable instructions comprising:
    - retrieving the policy file that contains definitions for the zone and the security policy and specifies that the security policy is assigned to the zone.
  - 13. The storage device of claim 12 storing further computer-readable instructions comprising:
    - creating the policy file from data input by a user.
  - 14. The storage device of claim 12 storing further computer readable instructions comprising:
    - creating the policy file from data input by an administrator.
  - 15. The storage device of claim 12 storing further computer-readable instructions comprising:
    - receiving data from a predetermined location on the network through the network adapter; and
      
      creating the policy file from the data.
  - 16. The storage device of claim 9 storing further computer-readable instructions comprising:
    - including at least one address within the zone in the set of network addresses.

17. A computerized system comprising:
- a processing unit;
  
  a memory coupled to the processing unit through a bus;
  
  a network adapter coupled to the processing unit through the bus and further operable for coupling to a network;
  
  a firewall process executed from the memory by the processing unit to protect the computerized system when the network adapter is coupled to a network by causing the processing unit to filter data addressed to the network adapter according to a security policy; and
  
  a firewall configuration process executed from the memory by the processing unit to cause the processing unit to determine a zone for a network address dynamically assigned to the network adapter and to associate a firewall security policy for the zone with the network adapter;
  
  wherein the security policy is defined by a policy file which includes a policy file data structure stored as an XML (extensible markup language) document;
  
  wherein a security policy section of the policy file data structure includes an entry for each security policy that is identified by a policy identifier field and is associated with a network protocol that is identified by a protocol identifier field;
  
  mapping an adapter registry identifier to an associated network address stored in an operating system registry;
  
  monitoring network traffic at the network adapter and examining a predefined limited amount of the network traffic to determine the network address; and
  
  receiving a network address from a network adapter device driver when the network adapter connects to the TCP/IP network.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computerized system of claim 17 wherein the firewall configuration process further causes the processing unit to determine the network address of the network adapter.
  - 19. The computerized system of claim 17, wherein the set of network addresses comprises at least one address within the zone.
  - 20. The computerized system of claim 17, wherein the firewall configuration process further causes the processing unit to assign the security policy to the zone.
  - 21. The computerized system of claim 17, wherein the firewall configuration process further causes the processing unit to retrieve the policy file that contains definitions for the zone and the security policy and specifies that the security policy is assigned to the zone.
  - 22. The computerized system of claim 21, wherein the firewall configuration process further causes the processing unit to receive data from a user and to create the policy file from the data.
  - 23. The computerized system of claim 21, wherein the firewall configuration process further causes the processing unit to receive data from an administrator and to create the policy file from the data.
  - 24. The computerized system of claim 21, wherein the firewall configuration process further causes the processing unit to receive data from a predetermined location on the network through the network adapter and to create the policy file from the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
McArdle, Mark J., Johnston, Brent A., Dool, James, Nathan, Philip D. R.
Primary Examiner(s)
Cardone; Jason
Assistant Examiner(s)
CHOUDHURY, AZIZUL Q

Application Number

US09/803,527
Time in Patent Office

2,413 Days
Field of Search

713/201, 709/225
US Class Current

726/11
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/20 for managing network securi...

Automatically configuring a computer firewall based on network connection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Automatically configuring a computer firewall based on network connection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others