74 results about "Distributed firewall" patented technology

A distributed firewall system is used to implement a network firewall with enhanced control over network traffic to allow policy to be implemented on a per-user basis, a per-application basis, a per-user and application basis, and to allow ports to be dynamically opened and closed as needed by the applications. The distributed firewall system may include application identifiers associated with applications running on a network element, one or more firewall agents instantiated on the network element hosting the applications, and a firewall configured to interface with the firewall agents. Communications between the distributed components are secured to allow the firewall to detect if an agent has been compromised, and to allow the firewall agent to determine if the application has been compromised. The distributed firewall system may work in a VPN environment, such as in connection with a VPN server, to implement firewall policy at the point where VPN traffic enters the protected network.

Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

A system and method for restricting packet transfer to a computer across a network, wherein the computer includes a network interface device coupled to the network and wherein the network interface device includes a packet filter. A security server is connected to the network. A packet is received at the network interface device and the network interface device determines if the packet is an authorized transaction. If the packet is not an authorized transaction, the packet is routed to the security server, where the security server determines whether the packet is an authorized transaction. If the security server determines that the packet is an authorized transaction, the network interface device is configured to accept similar transactions.

A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.

A distributed firewall of a gateway device includes at least one IO module for performing IO functionality of the distributed firewall, at least one security processing module for performing security functionality of the distributed firewall and a firewall controller for managing the IO module and the security processing module. Each of the at least one IO and security processing modules is executed within a virtual machine. In response to a packet received from an ingress interface, the at least one IO module is to identify a security processing module corresponding to a connections session associated with the packet, to transmit the packet to the identified security processing module to perform a security process on the packet, and in response to a signal received from the identified security processing module indicating that the security process has been completed, to transmit the packet to the egress interface.

An application profile is provided to manage security of an application deployed across two or more cloud computing networks. A user can define in the application profile first and second server groups, a cloud chamber as including the first and second server groups, and a computing flow to the cloud chamber. A firewall rule is generated based on the computing flow. The firewall rule is distributed to the first server group of the cloud chamber. A copy of the firewall rule is distributed to the second server group of the cloud chamber. The first server group is in a first cloud computing network that is provided by a first cloud provider. The second server group is in a second cloud computing network that is provided by a second cloud provider, different from the first cloud provider.

A switch capable of handling voice-over-IP (VoIP) traffic between calling devices and called devices. The switch comprises: 1) call application nodes for executing call process server applications, wherein a first call process server application and a similar second call process server application form a first load sharing group server application; and 2) network address translation nodes for executing firewall server applications. A first firewall server application executed on a first network address translation node is associated with a similar second firewall server application executed on a second network address translation nodes separate from the first network address translation node. The first and second firewall server applications form a second load sharing group server application. The second load sharing group server application receives VoIP traffic and selects one of the first and second firewall server applications to verify that the VoIP traffic is authorized to access at least one of the call process server applications in the call application nodes according to a load distribution algorithm.

The distributed firewall performs user authentication at a first level to establish a user security context for traffic from that user, and an authority context provides authorization for subsequent traffic. This authority context may be based on an underlying policy for particular types of traffic, access to particular applications, etc. Additionally, the system includes the ability to allow a user/process/application to define its own access control. The linking of the user security context from the traffic to the application is accomplished by enabling IPSec on a socket and forcing the socket to be bound in exclusive mode. The most common policy definitions may be included by default. Extensions of the Internet key exchange protocol (IKE) to provide the desired user authentication plus application/purpose are also provided. The architecture includes pluggable authorization module(s) that are called after IKE has successfully authenticated the peer, but before the connection is allowed to complete.

Methods, systems, and media for producing a firewall rule set are provided herein. Exemplary methods may include receiving a declarative policy associated with a computer network security policy; collecting information from at least one external system of record; generating a firewall rule set using the declarative policy and information, the firewall rule set including addresses to or from which network communications are permitted, denied, redirected or logged, the firewall rule set being at a lower level of abstraction than the declarative policy; and provisioning the firewall rule set to a plurality of enforcement points of a distributed firewall, the firewall selectively policing network communications among workloads using the firewall rule set.

Apparatus and systems, as well as methods and articles, may operate to control a security state associated with one or more network node(s) using a master heuristic policy enforcement module associated with a network firewall, and to selectively re-direct first packets to the network firewall from a remotely manageable network controller located within the network node(s) based upon the security state.

A Method and Technique for Automated Collection, Analysis, and Distribution of Network Security Threat Information. A new and modern threat distribution system be able to update a large number of distributed firewall devices with threat information without impacting performance. The network of firewall devices collects analysis data from all firewall devices in the network, and transmits it to a central server system. The central server system will continually distribute new threat and update information to the networked firewall devices. This feedback and update operation within the network is automated in order to result in drastic improvements in the performance, scalability and security of a modern network infrastructure.

Approaches, techniques, and mechanisms are disclosed for implementing a distributed firewall. In an embodiment, many different computer assets police incoming messages based on local policy data. This local policy data is synchronized with global policy data. The global policy data is generated by one or more separate analyzers. Each analyzer has access to message logs, or information derived therefrom, for groups of computer assets, and is thus able to generate policies based on intelligence from an entire group as opposed to an isolated asset. Among other effects, some of the approaches, techniques, and mechanisms may be effective even in computing environments with limited supervision over the attack surface, and/or computing environments in which assets may need to make independent decisions with respect to how incoming messages should be handled, on account of latency and/or unreliability in connections to other system components.

The invention provides a firewall service system based on a virtual network. The firewall service system based on the virtual network comprises a distributed type firewall manager and firewall service nodes, wherein the distributed type firewall manager is used for obtaining information of all virtual machine network interfaces in a user network according to the network identity of a user, determining the corresponding firewall service nodes according to the information of the virtual machine network interfaces, and distributing firewall configuration information and/or firewall security strategies of the user to the corresponding firework service nodes; the firewall service nodes are configured on an OVS switch based on OVS and are used for managing data flow passing through the OVS switch according to the received firewall configuration information and/or the received firewall security strategies of the user. The invention further provides a method for obtaining a virtual network firewall. By the adoption of the firewall service system based on the virtual network and the method for obtaining the virtual network firewall, through the deployment and the distributed management of the firewall service nodes, establishment of the distributed virtual network firewall is achieved.

The invention discloses one distribution firewall system, which comprises dialogue transfer system and connected content monitor filter module, wherein, the content monitor filter module is to monitor filter condition according to preset content and to filter on the message content and to send the filter result to the dialogue transfer system; the content monitor filter module and dialogue transfer system are operated in first and second processors. The invention also discloses one method to realize firewall content test.

Some embodiments provide a method for identifying unnecessary firewall rules for a distributed firewall of a logical network. The method identifies a firewall policy for network traffic of the logical network. The firewall policy includes a set of firewall rules. The method generates a set of data for implementing the firewall policy on a set of managed forwarding elements that implement the logical network. The method analyzes potential network traffic based on the generated set of data to identify a subset of unnecessary data. The method identifies a subset of unnecessary firewall rules of the set of firewall rules that corresponds to the subset of unnecessary data.

The embodiment of the invention relates to the field of network security, and particularly relates to a method and apparatus for realizing high availability. The method and apparatus is used for realizing the high availability of a plurality of network security devices. The method comprises the following steps: a first monitoring unit acquires state change information of a first monitored object and receives the state change information of a second monitored object sent by a second monitoring unit, wherein the second monitored object is a master device or a slave device of the first monitored object; the first monitoring unit updates an active/standby state of the first monitored object when the state change information of the first monitored object and the state change information of the second monitored object satisfy a preset active/standby switching condition; a next generation firewall/ intrusion prevention system and an ATCA distributed firewall and virtual firewall under the ''parallel forwarding engine'' architecture are compatible at the same time; and when the network security device needs to be changed, the device or the system of the device does not need to be changed or replaced, thereby reducing the operation cost and improving the working efficiency.

A distributed firewall device that can be hardwired to a client device and securely connect the client device to a wireless network. The client device can be a medical device connected to a healthcare facility network. The distributed firewall device transmits allowed data packets received from the client device to the wireless network and transmits allowed data packets received from the wireless network to the client device using firewall and routing configurations stored in volatile memory. A wipe module in the firewall device clears firewall and routing configurations from volatile memory upon detecting a security threat. A reload device is used to load configurations onto new or wiped firewall devices and initially connect the loaded firewall devices to the wireless network.