Firewall configuration validation

US 7,406,534 B2
Filed: 12/18/2002
Issued: 07/29/2008
Est. Priority Date: 12/18/2001
Status: Active Grant

First Claim

Patent Images

1. A method of managing configuration of a network node, the configuration comprising a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules comprising one or more identification values for identifying a data packet and an action, said method comprisingvalidating the configuration of the network node by evaluating each rule in a new or modified processing rule base against requirement defined in a validation rule base, and accepting the processing rule base for the network node only if the requirements are fulfilled, the validation rule base comprising at least one validation rule having one or more identification values and at least one associated required action.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to processing configuration of a network node, such as for example a firewall, and for sharing the configuration management between several administrators. The configuration comprises a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules comprising one or more identification values for identifying a data packet and an action. The configuration of the network node is validated by determining, whether the processing rule base fulfils requirements defined in a validation rule base. The use of validation rule base enables verifying that processing rule bases managed by different administrators fulfil some set requirements. Additionally, the invention accounts for detecting human errors in configurations.

55 Citations

View as Search Results

21 Claims

1. A method of managing configuration of a network node, the configuration comprising a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules comprising one or more identification values for identifying a data packet and an action, said method comprisingvalidating the configuration of the network node by evaluating each rule in a new or modified processing rule base against requirement defined in a validation rule base, and accepting the processing rule base for the network node only if the requirements are fulfilled, the validation rule base comprising at least one validation rule having one or more identification values and at least one associated required action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method according to claim 1, wherein the evaluating comprises:
    - finding the at least one action defined in the processing rule base for at least one identification value of a validation rule,passing the validation rule, if said at least one action conforms to the required at least one action in said validation rule, and failing the validation rule, if said at least one action does not conform to the required at least one action in said validation rule, andpassing the validation, if all validation rules are passed.
  - 3. A method according to claim 1, comprising validating the configuration as a response to a predefined action.
  - 4. A method according to claim 3, wherein the said predefined action is a command by a user to perform the validation, starting up of the network node, uploading a new or modified configuration to the network node or saving a configuration.
  - 5. A method according to claim 1, comprising rejecting the configuration, if the requirements defined in the validation rule base are not fulfilled.
  - 6. A method according to claim 1, comprising generating an error message, if the requirements defined in the validation rule base are not fulfilled.
  - 7. A method according to any one of claims 2 to 6, comprising outputting a rule of the processing rule base, which does not conform to a validation rule.
  - 8. A method according to claim 1, wherein several administrators are allowed to modify or create a processing rule base and in that a super user is allowed to modify or create a validation rule base.
  - 9. A method according to claim 1, wherein an administrator is allowed to modify or create a processing rule base and a validation rule base.
  - 10. A method according to claim 1, comprisinggenerating a processing rule base model corresponding to said processing rule base and indicating the effective processing rule base rules, andusing the processing rule base model in the evaluation of each rule in the new or modified processing rule base.
  - 11. A method according to claim 1, comprisinggenerating a validation rule base model corresponding to said validation rule base and indicating the effective validation rule base rules, andusing the validation rule base model in the evaluation of each rule in the new or modified processing rule base.
  - 12. A method according to any one of claims 10 and 11, wherein generating a processing or a validation rule base model comprisesarranging rules of the rule base into groups of rules, the rules in a group having a common identification value while keeping a track of the order of the rules in the rule base.
  - 13. A method according to claim 12, wherein one group corresponds at least one service or port number.
  - 14. A method according to claim 10 or 11, wherein generating a processing or a validation rule base model comprises:
    - if there exist overlapping identification value combinations in two or more rules of the rule base, maintaining the first one of the two or more rules in the order of the rules unchanged and removing such overlapping identification values from others of the two or more rules for determining the effective identification values in each rule.
  - 15. A method according to claim 10 or 11, wherein generating a processing or a validation rule base model comprisescombining the effects of NAT (Network Address Translation) rules into said processing rule base model by changing addresses and/or port numbers of rules in said processing rule base to real addresses and/or port numbers.
  - 16. A method according to claim 1, wherein said processing rule base is an access rule base or a routing table.
  - 17. A method according to claim 1, wherein said network node is a security gateway, a firewall, a router or a VPN (Virtual Private Network) gateway.

18. A computer-readable medium, containing a computer software which, when executed in a computer device, causes the computer device to provide a routine for managing configuration of a network node, the configuration including a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules including one or more identification values for identifying a data packet and an action, said routine comprisingvalidating the configuration of the network node by evaluating each rule in a new or modified the processing rule base against requirements defined in a validation rule base, and accepting the processing rule base for the network node only if the requirements are fulfilled, the validation rule base comprising at least one validation rule having one or more identification values and at least one associated required action.
- View Dependent Claims (19)
- - 19. A computer-readable medium according to claim 18, wherein the evaluating comprises:
    - finding the action(s) defined in the processing rule base for identification value(s) of a validation rule,passing the validation rule, if said at least one action conforms to the required at least one action in said validation rule, and failing the validation rule, if said at least one action does not conform to the required at least one action in said validation rule, andpassing the validation, if all validation rules are passed.

20. An arrangement for managing configuration of a network node, the configuration including a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules including one or more identification values for identifying a data packet and an action, the arrangement comprising:
- a validation mechanism for validating the configuration of the network node by evaluating each rule in a new or modified the processing rule base against requirements defined in a validation rule base, and accepting the processing rule base for the network node only if the requirements are fulfilled, the validation rule base comprising at least one validation rule having one or more identification values and at least one associated required action.
- View Dependent Claims (21)
- - 21. An arrangement according to claim 20, wherein the validation mechanism is arranged to:
    - find the at least one action defined in the processing rule base for at least one identification value of a validation rule,pass the validation rule, if said at least one action conforms to the required at least one action in said validation rule, and to fail the validation rule, if said at least one action does not conform to the required at least one action in said validation rule, andpass the validation, if all validation rules are passed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Stonesoft Corporation
Inventors
Lilius, Eino, Syvanne, Tuomo
Primary Examiner(s)
Chang; Jungwon

Application Number

US10/321,851
Publication Number

US 20030149766A1
Time in Patent Office

2,050 Days
Field of Search

709/224, 709/238, 709/227, 709/223, 709/249, 709/235, 709/229, 726/1, 726/15, 726/3, 726/23, 726/11, 713/201, 370/389, 370/392, 370/395.31, 705/9
US Class Current

709/238
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

Firewall configuration validation

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall configuration validation

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links