Automatically recommending firewall rules during enterprise information technology transformation

US 9,059,960 B2
Filed: 08/31/2012
Issued: 06/16/2015
Est. Priority Date: 08/31/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method for automatically generating one or more rules during IT transformation for configuring one or more firewall interfaces in a post-transformation target environment, the method comprising:

obtaining at least one communication pattern occurring in a pre-transformation source environment by analyzing (i) one or more firewall configuration files and/or firewall log files associated with the source environment, (ii) one or more run-time network flows at the source environment, and (iii) one or more configured dependencies at one or more servers running on the source environment;

automatically generating one or more vendor-neutral firewall rules for multiple intended firewall interfaces, on a per-interface basis, in a post-transformation target environment based on (i) the at least one communication pattern occurring in the source environment and (ii) information derived from the target environment, wherein the one or more vendor-neutral firewall rules contain multiple attributes and values associated therewith for configuring flow-control rules on a firewall device that is not specific to any particular vendor, and wherein said automatically generating comprises;

generating a transformed version of the at least one communication pattern by applying source-target host and internet protocol (IP) subnet mapping information to the at least one communication pattern;

generating an adjusted version of the at least one communication pattern by incorporating one or more communication requirements associated with the target environment to the transformed version of the at least one communication pattern;

identifying a subset of the adjusted version of the at least one communication pattern to be utilized for each of the multiple intended firewall interface in the post-transformation target environment; and

automatically converting the one or more vendor-neutral firewall rules into one or more vendor-specific firewall rules for the target environment based on information derived from the target environment, wherein the one or more vendor-specific firewall rules comprise commands to be directly used to configure a particular firewall device associated with a particular vendor;

wherein at least one of the steps is carried out by a computer device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for automatically generating one or more rules during IT transformation for configuring one or more firewall interfaces in a post-transformation target environment. A method includes obtaining at least one communication pattern occurring in a pre-transformation source environment, and automatically generating one or more vendor-neutral rules for one or more intended firewall interfaces in a post-transformation target environment based on the at least one communication pattern occurring in the source environment and based on information derived from the target environment.

69 Citations

View as Search Results

19 Claims

1. A method for automatically generating one or more rules during IT transformation for configuring one or more firewall interfaces in a post-transformation target environment, the method comprising:
- obtaining at least one communication pattern occurring in a pre-transformation source environment by analyzing (i) one or more firewall configuration files and/or firewall log files associated with the source environment, (ii) one or more run-time network flows at the source environment, and (iii) one or more configured dependencies at one or more servers running on the source environment;
  
  automatically generating one or more vendor-neutral firewall rules for multiple intended firewall interfaces, on a per-interface basis, in a post-transformation target environment based on (i) the at least one communication pattern occurring in the source environment and (ii) information derived from the target environment, wherein the one or more vendor-neutral firewall rules contain multiple attributes and values associated therewith for configuring flow-control rules on a firewall device that is not specific to any particular vendor, and wherein said automatically generating comprises;
  
  generating a transformed version of the at least one communication pattern by applying source-target host and internet protocol (IP) subnet mapping information to the at least one communication pattern;
  
  generating an adjusted version of the at least one communication pattern by incorporating one or more communication requirements associated with the target environment to the transformed version of the at least one communication pattern;
  
  identifying a subset of the adjusted version of the at least one communication pattern to be utilized for each of the multiple intended firewall interface in the post-transformation target environment; and
  
  automatically converting the one or more vendor-neutral firewall rules into one or more vendor-specific firewall rules for the target environment based on information derived from the target environment, wherein the one or more vendor-specific firewall rules comprise commands to be directly used to configure a particular firewall device associated with a particular vendor;
  
  wherein at least one of the steps is carried out by a computer device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein obtaining at least one communication pattern further comprises:
    - using manually provided information about one or more flows at the source environment.
  - 3. The method of claim 1, wherein information derived from the target environment used for automatically generating one or more vendor-neutral firewall rules comprises at least one of:
    - firewall topology;
      
      security zone topology;
      
      security zone contents; and
      
      a new internet protocol (IP) address and subnet information.
  - 4. The method of claim 1, wherein obtaining at least one communication pattern further comprises obtaining information pertaining to service ports.
  - 5. The method of claim 1, wherein automatically generating one or more vendor-neutral rules comprises:
    - determining whether a communication pattern and/or one or more additional requirements from the target environment are relevant for the multiple firewall interfaces in the target environment; and
      
      automatically generating one or more vendor-neutral per-interface rules for one or more intended interfaces in the target environment based on the at least one communication pattern occurring in the source environment and/or one or more additional requirements from the target environment that are determined relevant for each interface.
  - 6. The method of claim 5, wherein automatically generating one or more vendor-neutral per-interface rules for multiple intended interfaces in the target environment comprises generating at least one transformed communication pattern by applying a source environment-target environment IP address or subnet mapping to the at least one communication pattern occurring in the source environment.
  - 7. The method of claim 5, wherein automatically generating one or more vendor-neutral per-interface rules for multiple intended interfaces in the target environment comprises incorporating new communication and/or new security requirements from the target environment.
  - 8. The method of claim 5, wherein automatically generating one or more vendor-neutral per-interface rules for multiple intended interfaces in the target environment comprises incorporating information pertaining to zone contents and firewall interfaces of the target environment.
  - 9. The method of claim 5, wherein automatically generating one or more vendor-neutral per-interface rules for multiple intended interfaces in the target environment comprises applying heuristics and/or user-provided information to identify one or more service ports.
  - 10. The method of claim 1, wherein only a subset of devices in the source environment are transformed.
  - 11. The method of claim 1, wherein firewall and/or security zone topology in the target environment is partially or fully different from that of the source environment.
  - 12. The method of claim 1, wherein one or more devices in the target environment are from a different vendor and/or model and/or platform from one or more devices in the source environment.
  - 13. The method of claim 1, wherein one or more firewall devices are physical or virtual devices.
  - 14. The method of claim 1, wherein one or more security requirements in the source environment differ from those in the target environment.
  - 15. The method of claim 1, wherein one or more connectivity requirements in the source environment differ from those in the target environment.
  - 16. The method of claim 1, wherein information derived from the target environment comprises already-implemented vendor-specific firewall rules in the target environment.
  - 17. The method of claim 1, wherein automatically generating one or more vendor-neutral firewall rules for multiple intended firewall interfaces in a target environment comprises accounting for one or more rules already implemented for the target environment'"'"'s firewalls and recommending additions, deletions, and/or updates to the one or more rules.
  - 18. The method of claim 1, comprising automatically generating one or more vendor-specific firewall rules for a target environment during an enterprise information technology transformation activity.
  - 19. The method of claim 18, wherein an enterprise information technology transformation activity comprises at least one of migration, consolidation, virtualization, data center relocation, and cloudification of at least one application or server or service from a source information technology infrastructure to a target information technology infrastructure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Burchfield, Nancy, Hang, Nathaniel, Hosn, Rafah A., Murray, James, Ramasamy, Harigovind V.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US13/600,891
Publication Number

US 20140068698A1
Time in Patent Office

1,019 Days
Field of Search

726/1, 726/11
US Class Current

1/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

Automatically recommending firewall rules during enterprise information technology transformation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

69 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Automatically recommending firewall rules during enterprise information technology transformation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others