Enhanced personal firewall for dynamic computing environments

US 8,316,427 B2
Filed: 03/09/2007
Issued: 11/20/2012
Est. Priority Date: 03/09/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A personal firewall system comprising:

a computing platform having a processor or electronic circuit configured to perform a logical process;

an inter-firewall connection listener portion of the computing platform comprising instructions which when executed or logical circuit which when operated bind to a specified communications port, to listen for incoming, outgoing, or both incoming and outgoing firewall trust requests, and upon detection of a connection, to transfer firewall control to an inter-firewall controller; and

an inter-firewall controller portion of the computing platform comprising instructions which when executed or logical circuit which when operated establish trusted communications through a local firewall and a remote firewall by performing one or both of the processes of;

upon establishing an outgoing connection by an application program protected by a local firewall to a resource protected by a remote firewall;

to initiate and transmit a handshake identification request from a local firewall to a remote firewall;

responsive to receipt of a handshake response from the remote firewall, to transmit a local firewall public encryption key to the remote firewall;

responsive to receiving a remote firewall public encryption key, to generate, sign, and transmit a trusted computer request with identification information to the remote firewall;

upon receipt of a grant of trusted access from the remote firewall, to allow an application program from behind the local firewall to communicate through the remote firewall, otherwise to block the application program from communication through the remote firewall; and

upon establishing an incoming connection by an application program protected by a remote firewall to a resource protected by a local firewall;

to transmit a firewall identification handshake response to the remote firewall upon receipt of a handshake identification request from the remote firewall;

responsive to receipt of a remote firewall public encryption key, to transmit a local firewall public encryption key to the remote firewall;

responsive to receiving a signed trusted computer request from the remote firewall, and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access, to verify that the trusted computer request is signed using the received remote firewall public encryption key;

responsive to determining that the remote firewall has been previously authorized to establish trusted access, to modify local firewall rules to allow data communications to and from one or more addresses associated with the remote firewall to be transceived through the local firewall;

wherein the handshake identification request and the handshake response utilize a pre-determined port for negotiations of a trusted relationship, wherein the handshake identification request and handshake response indicate a supported protocol version and an acceptable key algorithm, and wherein the identification information in the generation of a trusted computer request comprises one or more identifiers selected from the group consisting of a name of a computer protected by the local firewall, a username of a user associated with a computer protected by the local firewall, and an electronic mail address of a user associated with a computer protected by the local firewall.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An enhanced personal firewall system having an inter-firewall connection listener which binds to a specified communications port and listens for inbound and/or outbound connection requests; and an inter-firewall controller which establishes a trusted communications through a local firewall and a remote firewall by exchanging public keys, a signed trusted computer firewall request, and using the keys to determine if a local key storage indicates previous authorization to trusted communications. If not, then a user of the targeted resource is notified and prompted to authorize the access. If so, then the firewall rules protecting the targeted resource are modified, even if temporarily, to allow the requesting firewall to have trusted access.

51 Citations

View as Search Results

12 Claims

1. A personal firewall system comprising:
- a computing platform having a processor or electronic circuit configured to perform a logical process;
  
  an inter-firewall connection listener portion of the computing platform comprising instructions which when executed or logical circuit which when operated bind to a specified communications port, to listen for incoming, outgoing, or both incoming and outgoing firewall trust requests, and upon detection of a connection, to transfer firewall control to an inter-firewall controller; and
  
  an inter-firewall controller portion of the computing platform comprising instructions which when executed or logical circuit which when operated establish trusted communications through a local firewall and a remote firewall by performing one or both of the processes of;
  
  upon establishing an outgoing connection by an application program protected by a local firewall to a resource protected by a remote firewall;
  
  to initiate and transmit a handshake identification request from a local firewall to a remote firewall;
  
  responsive to receipt of a handshake response from the remote firewall, to transmit a local firewall public encryption key to the remote firewall;
  
  responsive to receiving a remote firewall public encryption key, to generate, sign, and transmit a trusted computer request with identification information to the remote firewall;
  
  upon receipt of a grant of trusted access from the remote firewall, to allow an application program from behind the local firewall to communicate through the remote firewall, otherwise to block the application program from communication through the remote firewall; and
  
  upon establishing an incoming connection by an application program protected by a remote firewall to a resource protected by a local firewall;
  
  to transmit a firewall identification handshake response to the remote firewall upon receipt of a handshake identification request from the remote firewall;
  
  responsive to receipt of a remote firewall public encryption key, to transmit a local firewall public encryption key to the remote firewall;
  
  responsive to receiving a signed trusted computer request from the remote firewall, and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access, to verify that the trusted computer request is signed using the received remote firewall public encryption key;
  
  responsive to determining that the remote firewall has been previously authorized to establish trusted access, to modify local firewall rules to allow data communications to and from one or more addresses associated with the remote firewall to be transceived through the local firewall;
  
  wherein the handshake identification request and the handshake response utilize a pre-determined port for negotiations of a trusted relationship, wherein the handshake identification request and handshake response indicate a supported protocol version and an acceptable key algorithm, and wherein the identification information in the generation of a trusted computer request comprises one or more identifiers selected from the group consisting of a name of a computer protected by the local firewall, a username of a user associated with a computer protected by the local firewall, and an electronic mail address of a user associated with a computer protected by the local firewall.
- View Dependent Claims (2, 3, 4)
- - 2. The system as set forth in claim 1 wherein the generation of a trusted computer request further comprises, responsive to determining the remote firewall has not previously requested a trusted access:
    - prompting a user or administrator of the local firewall to obtain authorization for the remote firewall to establish trusted access, the prompting including presentation of some or all of identification information extracted from the received signed trusted computer request;
      
      receiving from the user or administrator a grant or deny selection; and
      
      according to the grant or deny selection, updating the local public key store to reflect authorization or lack of authorization.
  - 3. The system as set forth in claim 1 wherein the listener and controller are disposed in a personal firewall product having a network communications stack operable by a host computer, the stack being configured to interrogate outgoing, incoming, or both outgoing and incoming network packets, to apply firewall rules against the packets to either allow or deny packet access to or from a host computer, to allow an inter-firewall connection listener to bind to a specified port, to accept incoming transmissions from other host firewalls, and to allow the inter-firewall connection listener to bind to a specified communications port.
  - 4. The system as set forth in claim 1 wherein the listener is configured to bind to a Transmission Control Protocol/Internet Protocol port.

5. A computer-implemented method providing an enhanced personal firewall comprising:
- binding a listener portion of a computing platform to a specified communications port;
  
  listening by the listener for incoming, outgoing, or both incoming and outgoing firewall trust requests;
  
  responsive to detection of a connection, performing logical processes by a computing platform establishing trusted communications through a local firewall and a remote firewall by performing one or both of the processes of;
  
  upon establishing an outgoing connection by an application program protected by a local firewall to a resource protected by a remote firewall;
  
  to initiate and transmit a handshake identification request from a local firewall to a remote firewall;
  
  responsive to receipt of a handshake response from the remote firewall, to transmit a local firewall public encryption key to the remote firewall;
  
  responsive to receiving a remote firewall public encryption key, to generate, sign, and transmit a trusted computer request with identification information to the remote firewall;
  
  upon receipt of a grant of trusted access from the remote firewall, to allow an application program from behind the local firewall to communicate through the remote firewall, otherwise to block the application program from communication through the remote firewall; and
  
  upon establishing an incoming connection by an application program protected by a remote firewall to a resource protected by a local firewall;
  
  to transmit a firewall identification handshake response to the remote firewall upon receipt of a handshake identification request from the remote firewall;
  
  responsive to receipt of a remote firewall public encryption key, to transmit a local firewall public encryption key to the remote firewall;
  
  responsive to receiving a signed trusted computer request from the remote firewall, and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access, to verify that the trusted computer request is signed using the received remote firewall public encryption key;
  
  responsive to determining that the remote firewall has been previously authorized to establish trusted access, to modify local firewall rules to allow data communications to and from one or more addresses associated with the remote firewall to be transceived through the local firewall;
  
  wherein the handshake identification request and the handshake response utilize a pre-determined port for negotiations of a trusted relationship, wherein the handshake identification request and handshake response indicate a supported protocol version and an acceptable key algorithm, and wherein the identification information in the generation of a trusted computer request comprises one or more identifiers selected from the group consisting of a name of a computer protected by the local firewall, a username of a user associated with a computer protected by the local firewall, and an electronic mail address of a user associated with a computer protected by the local firewall.
- View Dependent Claims (6, 7, 8)
- - 6. The method as set forth in claim 5 wherein generating a trusted computer request further comprises performing the following steps responsive to determining that the remote firewall has not previously requested a trusted access:
    - prompting a user or administrator of the local firewall to obtain authorization for the remote firewall to establish trusted access, the prompting including presentation of some or all of identification information extracted from the received signed trusted computer request;
      
      receiving from the user or administrator a grant or deny selection; and
      
      according to the grant or deny selection, updating the local public key store to reflect authorization or lack of authorization.
  - 7. The method as set forth in claim 5 wherein the binding, listening, and establishing trusted communications are performed within logical processes of a personal firewall product having a network communications stack operable by a host computer, with the stack being configured to interrogate outgoing, incoming, or both outgoing and incoming network packets, and to apply firewall rules against the packets to either allow or deny packet access to or from a host computer.
  - 8. The method as set forth in claim 5 wherein the binding and listening bind to and listen to a Transmission Control Protocol/Internet Protocol port.

9. A computer readable storage memory device comprising:
- a tangible, computer readable storage memory device;
  
  first computer instructions for binding a listener to a specified communications port;
  
  second computer instructions for listening by the listener for incoming, outgoing, or both incoming and outgoing firewall trust requests;
  
  third computer instructions for, responsive to detection of a connection, performing logical processes for establishing trusted communications through a local firewall and a remote firewall by performing one or both of the processes of;
  
  upon establishing an outgoing connection by an application program protected by a local firewall to a resource protected by a remote firewall;
  
  to initiate and transmit a handshake identification request from a local firewall to a remote firewall;
  
  responsive to receipt of a handshake response from the remote firewall, to transmit a local firewall public encryption key to the remote firewall;
  
  responsive to receiving a remote firewall public encryption key, to generate, sign, and transmit a trusted computer request with identification information to the remote firewall;
  
  upon receipt of a grant of trusted access from the remote firewall, to allow an application program from behind the local firewall to communicate through the remote firewall, otherwise to block the application program from communication through the remote firewall; and
  
  upon establishing an incoming connection by an application program protected by a remote firewall to a resource protected by a local firewall;
  
  to transmit a firewall identification handshake response to the remote firewall upon receipt of a handshake identification request from the remote firewall;
  
  responsive to receipt of a remote firewall public encryption key, to transmit a local firewall public encryption key to the remote firewall;
  
  responsive to receiving a signed trusted computer request from the remote firewall, and responsive to checking a local public key store to determine that the remote firewall has not previously requested a trusted access, to verify that the trusted computer request is signed using the received remote firewall public encryption key;
  
  responsive to determining that the remote firewall has been previously authorized to establish trusted access, to modify local firewall rules to allow data communications to and from one or more addresses associated with the remote firewall to be transceived through the local firewall;
  
  wherein the first, second and third computer instructions are stored by the tangible, computer readable storage memory device, wherein the handshake identification request and the handshake response utilize a pre-determined port for negotiations of a trusted relationship, wherein the handshake identification request and handshake response indicate a supported protocol version and an acceptable key algorithm, and wherein the identification information in the generation of a trusted computer request comprises one or more identifiers selected from the group consisting of a name of a computer protected by the local firewall, a username of a user associated with a computer protected by the local firewall, and an electronic mail address of a user associated with a computer protected by the local firewall.
- View Dependent Claims (10, 11, 12)
- - 10. The computer readable storage memory device as set forth in claim 9 wherein the computer instructions for generating a trusted computer request further comprises computer instructions for performing the following steps if the remote firewall has not previously requested a trusted access:
    - prompting a user or administrator of the local firewall to obtain authorization for the remote firewall to establish trusted access, the prompting including presentation of some or all of identification information extracted from the received signed trusted computer request;
      
      receiving from the user or administrator a grant or deny selection; and
      
      according to the grant or deny selection, updating the local public key store to reflect authorization or lack of authorization.
  - 11. The computer readable storage memory device as set forth in claim 9 wherein the first, second and third computer instructions are performed within logical processes of a personal firewall product having a network communications stack operable by a host computer, the stack being configured to interrogate outgoing, incoming, or both outgoing and incoming network packets, and to apply firewall rules against the packets to either allow or deny packet access to or from a host computer.
  - 12. The computer readable storage memory device as set forth in claim 9 wherein the first and second computer instructions are configured to bind to and listen to a Transmission Control Protocol/Internet Protocol port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Bansal, Ravi Prakash, Hamilton, Rick Allen II, O'Connell, Brian, Walker, Keith Raymond
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
HOLDER, BRADLEY W

Application Number

US11/684,067
Publication Number

US 20080222715A1
Time in Patent Office

2,083 Days
Field of Search

726/11, 726/2, 726/3, 713/150, 713/168, 713/176
US Class Current

726/11
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

Enhanced personal firewall for dynamic computing environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced personal firewall for dynamic computing environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links