Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and apparatus for managing a firewall

a firewall and management method technology, applied in the field of firewalls, can solve the problems of increasing the difficulty of deploying firewalls, unable to download new rule-bases, and fewer, if any, and achieve the effect of facilitating the generation of security policies

Inactive Publication Date: 2006-12-21
BARTAL YAIR +2
View PDF12 Cites 33 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

"The present invention is a method and apparatus for managing a firewall. The invention provides a firewall manager that facilitates the generation of a security policy for a particular network environment and automatically generates the firewall-specific configuration files from the security policy simultaneously for multiple gateways. The security policy is separated from the actual network topology and the firewall rules, allowing the administrator to maintain a consistent policy in the presence of changes in network details or reuse the same policy at multiple corporate sites. The firewall manager utilizes a model definition language and an associated parser to produce an entity relationship model, which is translated into the appropriate firewall configuration files. The model definition language is used as an interface to define an instance of the entity-relationship model, and a visualization and debugging tool is provided to evaluate the viability of a chosen policy on the actual topology. The invention also allows a role-group to be closed so that inheritance of roles does not apply, and a host can only assume one closed role-group. Overall, the invention simplifies the process of designing and maintaining a firewall policy."

Problems solved by technology

While firewalls have seen impressive technical advances, there have been few, if any, advances in firewall configuration and management.
This scheme often leads to misconfiguration due to redundant rules in the rule-base, and the desired security policy is realized only after re-ordering some of the rules.
Another possible configuration error is to set up the rules so that the firewall gateway is completely unreachable, and it becomes impossible to download new rule-bases.
The problems of administering a firewall are even worse for a larger company, which may use more than a single firewall.
The complexity of designing and managing the rule-bases grows, as the Intranets get more complex.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and apparatus for managing a firewall
  • Method and apparatus for managing a firewall
  • Method and apparatus for managing a firewall

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0025]FIG. 1 illustrates a representative network environment 100 in accordance with the present invention. As shown in FIG. 1, the network 100 includes two firewalls 120, 150. The external firewall 120 guards the corporation's connection to an external network, such as the Internet 110. Behind the external firewall 120 is the server zone 130, often referred to as the “demilitarized zone” (DMZ), containing the corporation's externally visible servers. In the illustrative embodiment, the visible servers in the server zone 130 include a multiple server 138 that includes email (smtp), hyper-text transfer protocol (http) file transfers (web), and file transfer protocol (ftp) file transfer services, and a domain name server (dns) service 134.

[0026] Behind the server zone 130 is an internal firewall 150 that guards the corporation's proprietary or internal network, such as an Intranet. The internal firewall 150 has three interfaces. A first interface is to the server zone 130, a second i...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

A method and apparatus are disclosed for managing a firewall. The disclosed firewall manager facilitates the generation of a security policy for a particular network environment, and automatically generates the firewall-specific configuration files from the security policy simultaneously for multiple gateways. The security policy is separated from the vendor-specific rule syntax and semantics and from the actual network topology. Thus, the security administrator can focus on designing an appropriate policy without worrying about firewall rule complexity, rule ordering, and other low-level configuration issues. In addition, the administrator can maintain a consistent policy in the presence of intranet topology changes. The disclosed firewall manager utilizes a model definition language (MDL) and an associated parser to produce an entity relationship model. A model compiler translates the entity-relationship model into the appropriate firewall configuration files. The entity-relationship model provides a framework for representing both the firewall-independent security policy, and the network topology. The security policy is expressed in terms of “roles,” which are used to define network capabilities of sending and receiving services. A role may be assumed by different hosts or host-groups in the network. A visualization and debugging tool is provided to transform the firewall-specific configuration files into a graphical representation of the current policy on the actual topology, allowing the viability of a chosen policy to be evaluated. A role-group may be closed to prevent the inheritance of roles.

Description

CROSS REFERENCE TO RELATED APPLICATION [0001] The application is a divisional of U.S. patent application Ser. No. 10 / 336,874, filed Jan. 6, 2003, which is a continuation of U.S. patent application Ser. No. 09 / 240,934, filed Jan. 29, 1999.FIELD OF THE INVENTION [0002] The present invention relates generally to firewalls, and more particularly, to a method and apparatus for managing a firewall. BACKGROUND OF THE INVENTION [0003] Network firewalls provide important safeguards for any network connected to the Internet. Firewalls are not simple applications that can be activated “out of the box.” A firewall must be configured and managed to realize an important security policy for the particular needs of a given company or entity. It has been said that the most important factor affecting the security of a firewall is the firewall configuration. While firewalls have seen impressive technical advances, there have been few, if any, advances in firewall configuration and management. [0004] A...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(United States)
IPC IPC(8): G06F15/16G06F13/00H04L12/24H04L29/06
CPCH04L41/0893H04L63/0263H04L41/22H04L41/12H04L41/0894
Inventor BARTAL, YAIRMAYER, ALAIN JULESWOOL, AVISHAI
Owner BARTAL YAIR
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products