Method and apparatus for managing a firewall

Abstract

A method and apparatus are disclosed for managing a firewall. The disclosed firewall manager facilitates the generation of a security policy for a particular network environment, and automatically generates the firewall-specific configuration files from the security policy simultaneously for multiple gateways. The security policy is separated from the vendor-specific rule syntax and semantics and from the actual network topology. Thus, the security administrator can focus on designing an appropriate policy without worrying about firewall rule complexity, rule ordering, and other low-level configuration issues. In addition, the administrator can maintain a consistent policy in the presence of intranet topology changes. The disclosed firewall manager utilizes a model definition language (MDL) and an associated parser to produce an entity relationship model. A model compiler translates the entity-relationship model into the appropriate firewall configuration files. The entity-relationship model provides a framework for representing both the firewall-independent security policy, and the network topology. The security policy is expressed in terms of “roles,” which are used to define network capabilities of sending and receiving services. A role may be assumed by different hosts or host-groups in the network. A visualization and debugging tool is provided to transform the firewall-specific configuration files into a graphical representation of the current policy on the actual topology, allowing the viability of a chosen policy to be evaluated. A role-group may be closed to prevent the inheritance of roles.

Description

CROSS REFERENCE TO RELATED APPLICATION [0001] The application is a divisional of U.S. patent application Ser. No. 10 / 336,874, filed Jan. 6, 2003, which is a continuation of U.S. patent application Ser. No. 09 / 240,934, filed Jan. 29, 1999.FIELD OF THE INVENTION [0002] The present invention relates generally to firewalls, and more particularly, to a method and apparatus for managing a firewall. BACKGROUND OF THE INVENTION [0003] Network firewalls provide important safeguards for any network connected to the Internet. Firewalls are not simple applications that can be activated “out of the box.” A firewall must be configured and managed to realize an important security policy for the particular needs of a given company or entity. It has been said that the most important factor affecting the security of a firewall is the firewall configuration. While firewalls have seen impressive technical advances, there have been few, if any, advances in firewall configuration and management. [0004] A...

AI Technical Summary

Benefits of technology

[0010] Generally, a method and apparatus are disclosed for managing a firewall. The disclosed firewall manager facilitates the generation of a security policy for a particular network environment, and automatically generates the firewall-specific configuration files from the security policy simultaneously for multiple gateways. According to one aspect of the invention, the security policy is separated from the specific rule syntax and semantics of the firewall manufacturer. Thus, the security administrator can focus on designing an appropriate policy without worrying about firewall rule complexity, rule ordering, and other low-level configuration issues.

[0011] According to another aspect of the invention, the security policy is separated from the actual network topology. Thus, the administrator can maintain a consistent policy in the presence of Intranet topology changes. Furthermore, this modularization allows the administrator to reuse the same policy at multiple corporate sites with different network details, or to allow smaller companies to use default or exemplary security policies designed by experts.

[0013] The model definition language (MDL) is used as an interface to define an instance of the entity-relationship model. The parser for the MDL generates such instances of the entity-relationship model. The model compiler translates a model instance into firewall-specific configuration files. A visualization and debugging tool is provided to transform the firewall-specific configuration files into a graphical representation of the current policy on the actual topology, allowing the viability of a chosen policy to be evaluated.

Problems solved by technology

While firewalls have seen impressive technical advances, there have been few, if any, advances in firewall configuration and management.

This scheme often leads to misconfiguration due to redundant rules in the rule-base, and the desired security policy is realized only after re-ordering some of the rules.

Another possible configuration error is to set up the rules so that the firewall gateway is completely unreachable, and it becomes impossible to download new rule-bases.

The problems of administering a firewall are even worse for a larger company, which may use more than a single firewall.

The complexity of designing and managing the rule-bases grows, as the Intranets get more complex.

Images