Firewall configuration validation
First Claim
1. A method of managing configuration of a network node, the configuration comprising a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules comprising one or more identification values for identifying a data packet and an action, said method comprisingvalidating the configuration of the network node by evaluating each rule in a new or modified processing rule base against requirement defined in a validation rule base, and accepting the processing rule base for the network node only if the requirements are fulfilled, the validation rule base comprising at least one validation rule having one or more identification values and at least one associated required action.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to processing configuration of a network node, such as for example a firewall, and for sharing the configuration management between several administrators. The configuration comprises a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules comprising one or more identification values for identifying a data packet and an action. The configuration of the network node is validated by determining, whether the processing rule base fulfils requirements defined in a validation rule base. The use of validation rule base enables verifying that processing rule bases managed by different administrators fulfil some set requirements. Additionally, the invention accounts for detecting human errors in configurations.
55 Citations
21 Claims
-
1. A method of managing configuration of a network node, the configuration comprising a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules comprising one or more identification values for identifying a data packet and an action, said method comprising
validating the configuration of the network node by evaluating each rule in a new or modified processing rule base against requirement defined in a validation rule base, and accepting the processing rule base for the network node only if the requirements are fulfilled, the validation rule base comprising at least one validation rule having one or more identification values and at least one associated required action.
-
18. A computer-readable medium, containing a computer software which, when executed in a computer device, causes the computer device to provide a routine for managing configuration of a network node, the configuration including a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules including one or more identification values for identifying a data packet and an action, said routine comprising
validating the configuration of the network node by evaluating each rule in a new or modified the processing rule base against requirements defined in a validation rule base, and accepting the processing rule base for the network node only if the requirements are fulfilled, the validation rule base comprising at least one validation rule having one or more identification values and at least one associated required action.
-
20. An arrangement for managing configuration of a network node, the configuration including a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules including one or more identification values for identifying a data packet and an action, the arrangement comprising:
a validation mechanism for validating the configuration of the network node by evaluating each rule in a new or modified the processing rule base against requirements defined in a validation rule base, and accepting the processing rule base for the network node only if the requirements are fulfilled, the validation rule base comprising at least one validation rule having one or more identification values and at least one associated required action. - View Dependent Claims (21)
Specification