System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy

US 8,881,258 B2
Filed: 08/24/2011
Issued: 11/04/2014
Est. Priority Date: 08/24/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

detecting, at a first node having a security-as-a-service (SaaS) agent, a threat originating from a source node having a source address in a network, wherein the network includes at least the first node and a plurality of nodes each having a respective SaaS agent;

applying a local firewall policy on the first node to block incoming connections associated with the source address;

broadcasting, from the first node, an alert to the respective SaaS agents of the plurality of nodes in the network, wherein the broadcast alert comprises the source address of the source node from which the threat originated, wherein broadcasting the alert comprises broadcasting the local firewall policy;

identifying, by the first node, a presence of an SaaS firewall module of the source node; and

responsive to identifying the presence of the SaaS firewall module on the source node, communicating to the source node to apply a remote firewall policy to block outgoing connections from the source node to the plurality of nodes in the network.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node.

161 Citations

14 Claims

1. A method, comprising:
- detecting, at a first node having a security-as-a-service (SaaS) agent, a threat originating from a source node having a source address in a network, wherein the network includes at least the first node and a plurality of nodes each having a respective SaaS agent;
  
  applying a local firewall policy on the first node to block incoming connections associated with the source address;
  
  broadcasting, from the first node, an alert to the respective SaaS agents of the plurality of nodes in the network, wherein the broadcast alert comprises the source address of the source node from which the threat originated, wherein broadcasting the alert comprises broadcasting the local firewall policy;
  
  identifying, by the first node, a presence of an SaaS firewall module of the source node; and
  
  responsive to identifying the presence of the SaaS firewall module on the source node, communicating to the source node to apply a remote firewall policy to block outgoing connections from the source node to the plurality of nodes in the network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising alerting a network administrator.
  - 3. The method of claim 1, wherein the threat is malware on the source node.
  - 4. The method of claim 1, wherein the network is an intranet.
  - 5. The method of claim 1, further comprising:
    - alerting a network administrator;
      
      wherein broadcasting the alert comprises broadcasting the source address and instructions for applying the local firewall policy.
  - 6. The method of claim 1, wherein the plurality of nodes of the network comprises an SaaS platform, wherein the SaaS platform includes a combination of at least one SaaS antivirus module and at least one SaaS firewall module in each node of the plurality of nodes.

7. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- detecting, at a first node having a security-as-a-service (SaaS) agent, a threat originating from a source node having a source address in a network, wherein the network includes at least the first node and a plurality of nodes each having a respective SaaS agent;
  
  applying a local firewall policy on the first node to block incoming connections associated with the source address;
  
  broadcasting, from the first node, an alert to the respective SaaS agents of the plurality of nodes in the network, wherein the broadcast alert comprises the source address of the source node from which the threat originated, wherein broadcasting the alert comprises broadcasting the local firewall policy;
  
  identifying, by the first node, a presence of an SaaS firewall module of the source node; and
  
  responsive to identifying the presence of the SaaS firewall module on the source node, communicating to the source node to apply a remote firewall policy to block outgoing connections from the source node to the plurality of nodes in the network.
- View Dependent Claims (8, 9, 10)
- - 8. The encoded logic of claim 7, further comprising alerting a network administrator.
  - 9. The encoded logic of claim 7, wherein the threat is malware on the source node.
  - 10. The encoded logic of claim 7, wherein the plurality of nodes of the network comprises an SaaS platform, wherein the SaaS platform includes a combination of at least one SaaS antivirus module and at least one SaaS firewall module in each node of the plurality of nodes.

11. A first node, comprising:
- an antivirus module;
  
  a local firewall module;
  
  a dynamic policy module; and
  
  one or more processors operable to execute instructions associated with the antivirus module, the local firewall module, and the dynamic policy module such that the first node is configured for;
  
  detecting, at a first node having a security-as-a-service (SaaS) agent, a threat originating from a source node having a source address in a network, wherein the network includes at least the first node and a plurality of nodes each having a respective SaaS agent;
  
  applying a local firewall policy on the first node to block incoming connections associated with the source address;
  
  broadcasting, from the first node, an alert to the respective SaaS agents of the plurality of nodes in the network, wherein the broadcast alert comprises the source address of the source node from which the threat originated, wherein broadcasting the alert comprises broadcasting the local firewall policy;
  
  identifying, by the first node, a presence of an SaaS firewall module of the source node; and
  
  responsive to identifying the presence of the SaaS firewall module on the source node, communicating to the source node to apply a remote firewall policy to block outgoing connections from the source node to the plurality of nodes in the network.
- View Dependent Claims (12, 13, 14)
- - 12. The first node of claim 11, further comprising alerting a network administrator.
  - 13. The first node of claim 11, wherein the threat is ma ware on the source node.
  - 14. The first node of claim 11, wherein the SaaS agent includes the antivirus module, the local firewall module, and the dynamic policy module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Paul, Manabendra, Sudharma, Praveen Ravichandran
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US13/216,516
Publication Number

US 20130247167A1
Time in Patent Office

1,168 Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 41/06   Management of faults, event...

H04L 63/0218   Distributed architectures, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

161 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

161 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others