US20060190998A1 - Determining firewall rules for reverse firewalls - Google Patents

Determining firewall rules for reverse firewalls Download PDF

Info

Publication number
US20060190998A1
US20060190998A1 US11/290,976 US29097605A US2006190998A1 US 20060190998 A1 US20060190998 A1 US 20060190998A1 US 29097605 A US29097605 A US 29097605A US 2006190998 A1 US2006190998 A1 US 2006190998A1
Authority
US
United States
Prior art keywords
host
profile
network
network communication
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/290,976
Inventor
William Aiello
Charles Kalmanek
William Leighton
Patrick McDaniel
Subhabrata Sen
Oliver Spatscheck
Jacobus Van der Merwe
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AT&T Intellectual Property II LP
AT&T Properties LLC
Original Assignee
AT&T Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AT&T Corp filed Critical AT&T Corp
Priority to US11/290,976 priority Critical patent/US20060190998A1/en
Priority to IL173160A priority patent/IL173160A0/en
Priority to CA2533034A priority patent/CA2533034C/en
Priority to EP06101659A priority patent/EP1694026A1/en
Assigned to AT&T CORP. reassignment AT&T CORP. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AIELLO, WILLIAM A, KALMANEK, JR, CHARLES R, LEIGHTON, III, WILLIAM J, SEN, SUBHABRATA, SPATSCHECK, OLIVER, VAN DER MERWE, JACOBUS E, MCDANIEL, PATRICK
Publication of US20060190998A1 publication Critical patent/US20060190998A1/en
Priority to US11/616,325 priority patent/US8453227B2/en
Assigned to AT&T INTELLECTUAL PROPERTY II, L.P. reassignment AT&T INTELLECTUAL PROPERTY II, L.P. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AT&T PROPERTIES, LLC
Assigned to AT&T PROPERTIES, LLC reassignment AT&T PROPERTIES, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AT&T CORP.
Priority to US13/902,206 priority patent/US8813213B2/en
Assigned to AT&T CORP. reassignment AT&T CORP. CORRECTIVE ASSIGNMENT TO CORRECT THE NAME OF THE SECOND NAMED ASSIGNOR, CHARLES ROBERT KALMANEK, JR. PREVIOUSLY RECORDED ON REEL 017603 FRAME 0149. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: AIELLO, WILLIAM A., KALMANEK, CHARLES ROBERT, JR., LEIGHTON, WILLIAM J., III, SEN, SUBHABRATA, SPATSCHECK, OLIVER, VAN DER MERWE, JACOBUS E., MCDANIEL, PATRICK
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0254Stateful filtering

Definitions

  • aspects of the invention relate to a method and/or device for improving the protection of hosts in an internal network. More specifically, aspects of the invention relate to techniques for generating, maintaining, and enforcing a communications management policy in a network.
  • Perimeter defense e.g., conventional firewalls
  • Enterprise networks are at risk from a deficiency in security against worms. For example, once a worm is in a company's internal network, it can spread to other internal computers even if they are completely isolated from the Internet.
  • worms may be introduced into a company's internal network by laptops that are used both outside and within the enterprise.
  • the reverse firewall may receive communication from an internal host, and may, if the communication from the host is in-profile, allow the communication to pass. Else, if the communication from the host is out-of-profile, the reverse firewall may enforce a throttling discipline on the communication to determine whether to allow or block the communication.
  • throttling disciplines in accordance with the invention include, but are not limited to, n-r-relaxed, n-r-strict, and n-r-open.
  • a profile may be generated and updated for an internal host.
  • the reverse firewall may set a throttling discipline designated for out-of-profile communication from the host.
  • the profile of an internal host may comprise an initial set of rules based on an analysis of communication between a plurality of hosts during a learning period.
  • the reverse firewall may be implemented in a network device configured to enforce a profile and a throttling discipline, and comprising a memory unit and an out-of-profile counter.
  • FIG. 1 shows an illustrative operating environment for various aspects of the invention
  • FIG. 2 depicts a flowchart of a method for securing a network using a reverse firewall in accordance with various embodiments of the invention
  • FIG. 3 illustrates a flowchart of a method for determining a policy for a reverse firewall in accordance with various embodiments of the invention.
  • FIG. 4 illustrates a memory unit in a reverse firewall in accordance with various embodiments of the invention.
  • a reverse firewall in accordance with aspects of the invention may improve the protection of the hosts within a network against worms and similar security threats.
  • the reverse firewall may generate, maintain/update, and enforce a profile of a host in the network to protect other internal hosts from that host.
  • a reverse firewall may enforce a throttling discipline (TD) to determine whether to allow or block network communication from a host.
  • TD throttling discipline
  • FIG. 1 illustrates an example of a suitable network architecture in which aspects of the invention may be implemented.
  • the network architecture is only one example of a suitable network layout and is not intended to suggest any limitation as to the scope of use or functionality of the invention.
  • Other well known computing systems, environments, and/or configurations that may be suitable for use with the invention include, but are not limited to, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, programmable consumer electronics, networked PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
  • a reverse firewall in accordance with aspects of the invention may be used to secure a network 102 of hosts 114 , 116 , 118 , 120 .
  • the reverse firewall may be embodied in any network device connected to the network 102 .
  • a router 112 , hub 110 , switch 108 , and/or conventional firewall 104 may be configured to act as (or work in combination with another device to act as) a reverse firewall.
  • one of more network devices e.g., host 118
  • wireless communication such as IEEE 802.11, Wi-fi, radio frequency (RF), and bluetooth.
  • a network device need not be directly connected to a network 102 to be considered connected in accordance with aspects of the invention.
  • the term, connected shall not require a device to be directly connected.
  • an external host 106 may be connected to a conventional firewall 104 of the network 102 .
  • the external host 106 may receive communication from and send communication to internal hosts 114 , 116 , 118 , 120 .
  • a router 112 may be a programmable router comprising a memory unit, and configured as a reverse firewall.
  • a reverse firewall may be implemented in a computing machine (e.g., host 120 ) comprising a computer-readable medium storing computer-executable instructions.
  • a computing machine e.g., host 120
  • program modules may include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types.
  • the functionality of the program modules may be combined or distributed as desired in various embodiments.
  • Suitable network architecture may include at least some form of computer readable media.
  • Computer readable media can be any available media that can be accessed by computers or other devices.
  • FIG. 3 depicts a flowchart of a method for determining a communications management policy for a reverse firewall in a network.
  • the communications management policy determines, among other things, when to drop or pass packets sent from an internal host in the network.
  • the reverse firewall may use a profile comprising a set of rules to implement aspects of the communications management policy.
  • the set of rules may be used to determine when to drop or pass packets sent from an internal host in the network.
  • the profile for an internal host 114 in the network may be generated (in step 302 ) and used by a reverse firewall to determine whether to allow or block network communication from an internal host 114 .
  • a profile for an internal host 114 may be generated at a network device (e.g., router 112 ) that is being used as a reverse firewall in accordance with aspects of the invention.
  • a computing machine 120 on the network may be configured to, among other things, collect and/or analyze desirable information for use in generating a profile of an internal host 114 .
  • the computing machine 120 may monitor communication (i.e., traffic) on a network 102 during a predetermined length of time (i.e., a learning period) to generate a profile of internal hosts.
  • the interaction between the internal hosts on the network 102 may define a community of interest.
  • the computing machine 120 may analyze flow records of the network 102 to extract information about internal host communication (e.g., source IP address, destination IP address, destination port number, communication protocol, etc.) and generate an initial set of rules corresponding to the network communication between a plurality of hosts in the network. These initial set of rules may be used to generate a profile of a host 114 on the network 102 .
  • the profile of a host 114 may be comprised of PCSPP rules (i.e., a 3-tuple rule defined by protocol, client, server port, and server profile), PCSP rules (i.e., a 3-tuple rule defined by protocol, client, and server profile), and/or PSP rules (i.e., a 3-tuple rule defined by protocol and server profile).
  • PCSPP rules i.e., a 3-tuple rule defined by protocol, client, server port, and server profile
  • PCSP rules i.e., a 3-tuple rule defined by protocol, client, and server profile
  • PSP rules i.e., a 3-tuple rule defined by protocol and server profile
  • the core COI may be of a popularity community of interest (i.e., popularity COI) type, frequency community of interest (i.e., frequency COI) type, and/or a combination thereof. It will be apparent to one skilled in the art after review of the entirety disclosed herein, including any disclosure incorporated by reference, that the analysis of network communication in a community of interest contributes to the generation of an initial set of rules for internal hosts on a network.
  • an initial set of rules corresponding to communication originating from a host may be generated based on an analysis of the network communication between a plurality of hosts in the network during a learning period.
  • the traffic on the network 102 may be monitored to generate an set of initial rules.
  • the analysis may begin with a two-dimensional clustering model, where the number of connections per port may be shown on one axis, while the number of destination hosts using that port may be shown on another axis. Then, using a k-means statistical clustering technique known in the art, those ports with substantially more traffic may be partitioned from other ports on the network 102 in an iterative process.
  • the k-means technique may use randomly selected centroid locations, therefore, in one example, the k-means technique may be repeated multiple (e.g., one hundred) times with different centroid locations to determine the solution with the lowest value for the sum of within-cluster point-to-centroid distances.
  • the k-means technique may result in two distinct clusters: the first cluster corresponding to points clustered around low values of number of connection and number of destination hosts, and the second cluster comprised of points that have high values along these dimensions.
  • the points of the second cluster may be selected as ports for the transport protocol (e.g., TCP, UDP, etc.) being considered.
  • This information may be used in generating PCSPP rules, PCSP rules, and/or PSP rules.
  • log transformation i.e., transforming the data value for each variable to a logarithmic scale to reduce the effect of outliers at the high end of the value range
  • scale standardization e.g., z-score normalization where variables are normalized on a common scale to avoid one variable from dominating the other in the cluster
  • a set of rules for a profile may also be generated based on data analyzed during a learning period to identify those destination-port pairs that have substantial amounts of traffic on the network 102 .
  • a rule may be added to the profile of the source host.
  • a rule may be added to a source host's profile to allow all communication from a source host to all ports on a destination host (e.g., by designating the port as a wildcard in the rule).
  • these rules may be updated.
  • the set of rules may be automatically updated to accommodate for known undesirable network communication. For example, it may be desirable to remove any rules in a profile corresponding to TCP communication between two internal hosts that consists of less than three packets in each direction. In another example, it may be desirable to remove any rules in a profile corresponding to UDP communication between two internal hosts that consists of less than two packets in either direction. In yet another example, it may be desirable to not remove any rules corresponding to ICMP data communication.
  • One skilled in the art will appreciate that other updates to the profile of internal hosts are envisioned in accordance with aspects of the invention.
  • a reverse firewall may be comprised of a profile of the internal hosts and/or a throttling discipline (TD).
  • TD throttling discipline
  • a reverse firewall may set (in step 306 ) a TD for out-of-profile network communication from an internal host.
  • the TD may be used to describe the tolerable rate of out-of-profile communication from an internal host and the action to take when the rate is exceeded.
  • FIG. 2 depicts a flowchart of a method for securing a network from a host using a reverse firewall.
  • the reverse firewall may be embodied in a network device such as router 112 located on the network 102 and storing a profile of a host 114 .
  • the profile of a host 114 is comprised of a set of rules defining the internal exchange of network packets between that host 114 and other hosts ( 116 , 118 , and 120 ) in the network 102 .
  • the profile of a host 114 is discussed in greater detail in relation to the description of FIG. 4 below.
  • the reverse firewall receives network communication from an internal host 114 (i.e., a host on the internal network 102 ).
  • the network communication may be the result of an application (e.g., a web browser, instant messenger, etc.) running on the internal host 114 .
  • an application e.g., a web browser, instant messenger, etc.
  • network communication may include any communication between devices on a network.
  • an internal host 114 may be running a telnet program that is exchanging information with another internal host 116 on port 23 using transmission control protocol (TCP).
  • TCP transmission control protocol
  • the network communication may also occur using protocols, such as user datagram protocol (UDP), Internet control message protocol (ICMP), dynamic host configuration protocol (DHCP) and other protocols apparent to those skilled in the art.
  • UDP user datagram protocol
  • ICMP Internet control message protocol
  • DHCP dynamic host configuration protocol
  • the reverse firewall may be configured to allow or block network communication based on at least the protocol being used.
  • a reverse firewall may be configured to not block any DHCP traffic from internal hosts.
  • the reverse firewall accesses the profile corresponding to the internal host 114 that is the source of the network communication (i.e., internal source host) to determine if the parameters of the network communication (e.g., destination address, destination port, and/or communication protocol) are present in the profile of the internal source host 114 .
  • Parameters of network communication include, but are not limited to, destination address, destination port, and communication protocol. If the destination host (i.e., the host corresponding to the destination address) parameter is included in the profile of the internal source host 114 , then the network communication from the internal source host 114 to the destination host may be allowed to pass.
  • the reverse firewall may also consider the destination port parameter of the network communication in allowing (or blocking) the network communication.
  • the profile of the internal source host 114 includes information about communication protocol, then the reverse firewall may also consider the protocol parameter of the network communication in allowing (or blocking) the network communication.
  • network communication from a host is in the profile of that host if the destination address (e.g., IP address of the destination host) parameter, destination port (e.g., port 23 ) parameter, and communication protocol (e.g., UDP) parameter are present in the profile of the host.
  • the destination address e.g., IP address of the destination host
  • destination port e.g., port 23
  • communication protocol e.g., UDP
  • an internal source host 114 attempts to send network communication to port 23 of an internal destination host 116 using UDP.
  • the reverse firewall may access the profile corresponding to the internal source host 114 to determine if UDP communication from the internal source host 114 to port 23 on the destination host 116 is allowed in the profile.
  • the profile contains a rule (or set of rules) allowing UDP communication from the source host 114 to port 23 on the destination host 116 , the communication may be allowed (in step 206 ) to be sent to the destination host 116 .
  • the network communication may be allowed (in step 206 ) to be sent to the destination host 116 .
  • a rule or set of rules
  • the network communication may be allowed (in step 206 ) to be sent to the destination host 116 .
  • the reverse firewall may consider additional factors in determining whether to allow or block the network communication from the source host.
  • the reverse firewall may be configured to enforce a throttling discipline (TD) on the network communication (in step 208 ).
  • TD throttling discipline
  • a throttling discipline may be used, among other things, to control out-of-profile network communication from a host.
  • throttling disciplines include, but are not limited to, a n-r-relaxed discipline, a n-r-strict discipline, a n-r-open discipline, combination and/or derivations of these disciplines, and/or other throttling disciplines that will be apparent to one skilled in the art after review of the entire disclosure herein.
  • a n-r-strict throttling discipline blocks all communication, both out-of-profile and in-profile, from an internal host after the number of out-of-profile communications from that internal source host exceed a threshold ‘n’ within a time period ‘r’.
  • out-of-profile communication is not necessarily always blocked.
  • a reverse firewall is enforcing a n-r-strict throttling discipline where the value of ‘n’ is zero. Therefore, all network communication from an internal source host is blocked when an out-of-profile network communication is attempted by the internal source host.
  • a reverse firewall enforcing such a TD might not require a value for ‘r’.
  • a n-r-strict discipline with the value of ‘n’ as zero may result in a highly secure internal network 102 where no out-of-profile communication is allowed.
  • the number of out-of-profile communications may be measured by the number of out-of-profile packets or some other measurable unit that will be apparent to one skilled in the art.
  • flow records e.g., records generated by some Cisco routers when ‘netflow’ is enabled
  • packet tracking feature on some routers may be used to measure the number of out-of-profile communications.
  • an out-of-profile counter may be used to track the number of out-of-profile communications sent from an internal host during a time period ‘r’ (e.g., 10 minutes).
  • an out-of-profile counter in a reverse firewall may be provided for each host in the internal network 102 .
  • the out-of-profile counter may be updated, e.g., by incrementing a numeric counter in the out-of-profile counter.
  • the out-of-profile counter is discussed in greater detail in relation to the description of FIG. 4 below.
  • a throttling discipline includes a n-r-relaxed discipline that allows an internal host to send ‘n’ out-of-profile communications within a time period ‘r’. If the number of out-of-profile communications exceed a threshold ‘n’ within a time period ‘r’, all future communication (both in-profile and out-of-profile) from the internal source host is blocked.
  • the value of ‘n’ in an n-r-relaxed throttling discipline is zero, the throttling discipline behaves the same as a n-r-strict discipline with the value of ‘n’ as zero.
  • an out-of-profile counter may be used with this TD similar to that discussed earlier.
  • a throttling discipline includes a n-r-open discipline that allows a threshold of ‘n’ out-of-profile communications within a time period ‘r’.
  • the reverse firewall blocks all out-of-profile communications from the internal source host.
  • the reverse firewall does not block any of the communication that is in-profile in an n-r-open discipline.
  • an out-of-profile counter may be used with this TD similar to that discussed earlier.
  • At least one benefit of an n-r-open discipline is the ability for an internal host to continue to function by communicating with other hosts in its profile even after the threshold has been reached. Thus, an internal host may still able to operate a reduced number of network applications.
  • a network administrator or operator may be required to manually reset the out-of-profile counter corresponding to the internal host.
  • a user of the internal source host may be presented with a pop-up dialog box on a visible display screen where the user may authorization the reset of the out-of-profile counter for that host.
  • a pop-up dialog box may be less desirable than a manual reset by an administrator.
  • the user may be able to use the pop-up dialog box to update the profile of the host to include a rule (or set or rules) for the network communication at issue.
  • the reverse firewall may still block the communication.
  • the reverse firewall may enforce a throttling discipline (TD) to determine (in step 216 ) whether to allow or block the in-profile communication from the source host 114 .
  • TD throttling discipline
  • the reverse firewall may enforce a throttling discipline (TD) to determine (in step 216 ) whether to allow or block the in-profile communication from the source host 114 .
  • TD throttling discipline
  • the in-profile communication from a network host 114 is allowed (in step 206 ) regardless of whether the threshold value ‘n’ has been met.
  • a reverse firewall enforcing a throttling discipline on the network communication at issue may use, among other things, the out-of-profile counter to determine whether to block (or allow) the network communication.
  • a reverse firewall enforcing a n-r-relaxed discipline with a ‘n’ value of 10 and ‘r’ value of 60 seconds may block (in step 214 ) all future network communication, including both in-profile and out-of-profile communication, from an internal source host after the TD for that internal source host has been reached.
  • the network communication may be blocked (i.e., step 214 may be performed instead of step 206 ).
  • the out-of-profile counter in this example may contain a flag (e.g., boolean variable) for indicating a blocked state or allow state.
  • a flag e.g., boolean variable
  • all network communication from an internal source host will continue to be blocked until a network administrator (or equivalent) resets the out-of-profile counter.
  • the out-of-profile counter may automatically reset after a predetermined amount of time (i.e., block time interval) has elapsed (e.g., 20 minutes).
  • the user of the blocked internal source host may be able to manually reset the out-of-profile counter.
  • ARP address resolution protocol
  • FIG. 4 illustrates a simplified diagram of a portion of a memory unit 400 in a reverse firewall located on a network 102 in accordance with various aspects of the invention.
  • the memory unit 400 may comprise volatile and/or non-volatile memory.
  • the memory unit 400 may store a set of rules 404 , 406 corresponding to the profile of a host 114 in the network 102 .
  • the memory unit 400 may be part of a network device (e.g., router 112 , conventional firewall 104 , computing device 120 ) configured to enforce a profile of a host 114 in a network 102 .
  • the same network device may also be configured to enforce a throttling discipline in accordance with various aspects of the invention.
  • the network device may be comprised of a programmable router (e.g., router 112 ) configured as a reverse firewall.
  • a programmable router e.g., router 112
  • the memory unit 400 need not necessarily be physically located in a network device. Rather, in accordance with aspects of the invention, the network device may simply access the memory unit to identify the set of rules corresponding to the profile of the host in the network.
  • the profile 402 of an internal host may be comprised of PCSPP rules (i.e., a 3-tuple rule defined by protocol, client, server port, and server profile), PCSP rules (i.e., a 3-tuple rule defined by protocol, client, and server profile), and/or PSP rules (i.e., a 3-tuple rule defined by protocol and server profile).
  • PCSPP rules i.e., a 3-tuple rule defined by protocol, client, and server profile
  • PSP rules i.e., a 3-tuple rule defined by protocol and server profile
  • a reverse firewall e.g., router 112
  • router 112 with a profile of a host 114 comprising a PCSPP rule 404 may use that rule 404 to control network communication sent from an internal source host 114 in the network 102 .
  • a reverse firewall receiving network communication from a host 114 with an IP address of 1.1.182.1 may allow the communication if the internal destination host's IP address is 1.1.182.2 and is occurring on port 80 using TCP because that network communication is in the profile of the source host 114 .
  • a reverse firewall receiving network communication from a host 114 may allow the communication if the destination host's IP address is 1.1.182.2 and is occurring using UDP because that rule 406 defines that network communication to be in the profile of the source host 114 .
  • the profile 402 of the host 114 contained a PCSP rule 406 where the destination port of the communication was not a factor in determining whether the communication was in-profile the host or out-of-profile.
  • a PSP rule 408 applies to the profile of all source hosts directed at a given destination host (e.g., host 118 with an IP address of 1.1.182.3).
  • a network device configured to enforce a throttling discipline may be coupled to an out-of-profile counter 410 .
  • the out-of-profile counter 410 may be used to enforce the throttling discipline.
  • the out-of-profile counter 410 may be comprised of a number and a timer.
  • the out-of-profile counter 410 may comprise memory for storing the number of out-of-profile communications sent from an internal host 114 and circuitry or computer-executable instructions for use as a clock timer.
  • a memory unit 400 may stored an out-of-profile counter 410 may be provided for each of the hosts 114 , 116 .
  • the reverse firewall may use the out-of-profile counter to determine whether the threshold level has been reached.
  • an out-of-profile counter in accordance with aspects of the invention may comprise other features, including, but not limited to, a second clock timer for determining when a block time interval, as described earlier, has elapsed.
  • a computer-readable medium containing computer-executable instructions for performing the method diagrammed in the flowcharts of FIGS. 2 and 3 is contemplated by the aforementioned disclosure.
  • the computer-executable instructions may be executed by a processing unit in a reverse firewall or any other device configured to behave accordingly.
  • the usefulness of aspects of the invention in such a context is apparent to one skilled in the art.
  • connection and similar referents in the context of describing aspects of the invention, especially in the context of the following claims, is to be construed to require that a physical connection or direct connection.
  • the terms “comprising,” “having,” “including,” and “containing” are to be construed as open-ended terms (meaning “including, but not limited to,”) unless otherwise noted.
  • the use of any and all examples or exemplary language herein (e.g., “such as”) is intended merely to better illuminate the invention and does not pose a limitation on the scope of the invention unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the invention.

Abstract

A reverse firewall for removing undesirable traffic from a computing network, such as a virtual private network (VPN), is disclosed. The reverse firewall uses firewall rules that may be determined and maintained within the enterprise network to control communication sent between computers in the computing network. The reverse firewall rules may be used to identify the communications between computers in the network that are undesirable and/or intrusive. For example, a computer in a network that is infected with a worm or that is surreptitiously hosting a denial-of-service attack may be identified by the reverse firewall and quarantined. The reverse firewall may be implemented in hardware and/or software.

Description

  • This application claims the benefit of priority from U.S. Provisional Application No. 60/653,925, entitled “Determining Firewall Rules For Reverse Firewalls” filed Feb. 17, 2005, the disclosure of which is expressly incorporated herein by reference in its entirety.
    • TECHNICAL FIELD
  • Aspects of the invention relate to a method and/or device for improving the protection of hosts in an internal network. More specifically, aspects of the invention relate to techniques for generating, maintaining, and enforcing a communications management policy in a network.
    • BACKGROUND
  • The outbreak of the worms taking advantage of vulnerabilities in commercial desktop security software has highlighted the need for multi-faceted security measures. Perimeter defense (e.g., conventional firewalls) are only marginally effective in suppression of worms because of the difficulty of defining and implementing these types of systems. Enterprise networks, in particular, are at risk from a deficiency in security against worms. For example, once a worm is in a company's internal network, it can spread to other internal computers even if they are completely isolated from the Internet. Furthermore, worms may be introduced into a company's internal network by laptops that are used both outside and within the enterprise.
  • Therefore, there is a need in the art for a method and/or device for protecting against worms and other security threats within enterprise networks, and generally, data networks. There is also a need in the art for a method or device for protecting a host in an internal network from other hosts in that same network in a brownfield and greenfield environment.
    • SUMMARY
  • Disclosed herein is a method for securing a network using a reverse firewall that accesses a profile of an internal host. In one embodiment, the reverse firewall may receive communication from an internal host, and may, if the communication from the host is in-profile, allow the communication to pass. Else, if the communication from the host is out-of-profile, the reverse firewall may enforce a throttling discipline on the communication to determine whether to allow or block the communication. Some examples of throttling disciplines in accordance with the invention include, but are not limited to, n-r-relaxed, n-r-strict, and n-r-open.
  • In addition, disclosed herein is a method for determining a communications management policy for a reverse firewall in a network. In one embodiment, a profile may be generated and updated for an internal host. The reverse firewall may set a throttling discipline designated for out-of-profile communication from the host. The profile of an internal host may comprise an initial set of rules based on an analysis of communication between a plurality of hosts during a learning period.
  • Furthermore, disclosed herein is a reverse firewall for controlling communication sent from an internal host. The reverse firewall may be implemented in a network device configured to enforce a profile and a throttling discipline, and comprising a memory unit and an out-of-profile counter.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • One or more embodiments of aspects of the invention are illustrated by way of example and not limited in the accompanying figures in which like reference numerals indicate similar elements and in which:
  • FIG. 1 shows an illustrative operating environment for various aspects of the invention;
  • FIG. 2 depicts a flowchart of a method for securing a network using a reverse firewall in accordance with various embodiments of the invention;
  • FIG. 3 illustrates a flowchart of a method for determining a policy for a reverse firewall in accordance with various embodiments of the invention; and
  • FIG. 4 illustrates a memory unit in a reverse firewall in accordance with various embodiments of the invention.
    • DETAILED DESCRIPTION
  • A reverse firewall in accordance with aspects of the invention may improve the protection of the hosts within a network against worms and similar security threats. The reverse firewall may generate, maintain/update, and enforce a profile of a host in the network to protect other internal hosts from that host. In addition, a reverse firewall may enforce a throttling discipline (TD) to determine whether to allow or block network communication from a host. These and other aspects of the invention will become apparent to one skilled in the art after review of the entire disclosure and any disclosures incorporate by reference herein.
  • FIG. 1 illustrates an example of a suitable network architecture in which aspects of the invention may be implemented. The network architecture is only one example of a suitable network layout and is not intended to suggest any limitation as to the scope of use or functionality of the invention. Other well known computing systems, environments, and/or configurations that may be suitable for use with the invention include, but are not limited to, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, programmable consumer electronics, networked PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
  • A reverse firewall in accordance with aspects of the invention may be used to secure a network 102 of hosts 114, 116, 118, 120. The reverse firewall may be embodied in any network device connected to the network 102. For example, a router 112, hub 110, switch 108, and/or conventional firewall 104 may be configured to act as (or work in combination with another device to act as) a reverse firewall. In addition, one of more network devices (e.g., host 118) may be connected to the network 102 through wireless communication, such as IEEE 802.11, Wi-fi, radio frequency (RF), and bluetooth. One skilled in the art will understand that a network device need not be directly connected to a network 102 to be considered connected in accordance with aspects of the invention. The term, connected, shall not require a device to be directly connected. Furthermore, an external host 106 may be connected to a conventional firewall 104 of the network 102. The external host 106 may receive communication from and send communication to internal hosts 114, 116, 118, 120.
  • In one illustrative embodiment of aspects of the invention, a router 112 may be a programmable router comprising a memory unit, and configured as a reverse firewall. In another example, a reverse firewall may be implemented in a computing machine (e.g., host 120) comprising a computer-readable medium storing computer-executable instructions. One skilled in the art will appreciate that aspects of the invention may be described in the general context of computer-executable instructions, such as program modules, executed by one or more computers or other network devices. Generally, program modules may include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Typically the functionality of the program modules may be combined or distributed as desired in various embodiments. Suitable network architecture may include at least some form of computer readable media. Computer readable media can be any available media that can be accessed by computers or other devices.
  • FIG. 3 depicts a flowchart of a method for determining a communications management policy for a reverse firewall in a network. The communications management policy determines, among other things, when to drop or pass packets sent from an internal host in the network. In one example, the reverse firewall may use a profile comprising a set of rules to implement aspects of the communications management policy. The set of rules may be used to determine when to drop or pass packets sent from an internal host in the network.
  • The profile for an internal host 114 in the network may be generated (in step 302) and used by a reverse firewall to determine whether to allow or block network communication from an internal host 114. In one embodiment, a profile for an internal host 114 may be generated at a network device (e.g., router 112) that is being used as a reverse firewall in accordance with aspects of the invention. In an alternative embodiment, a computing machine 120 on the network may be configured to, among other things, collect and/or analyze desirable information for use in generating a profile of an internal host 114. The computing machine 120 may monitor communication (i.e., traffic) on a network 102 during a predetermined length of time (i.e., a learning period) to generate a profile of internal hosts.
  • The interaction between the internal hosts on the network 102 may define a community of interest. For example, the computing machine 120 may analyze flow records of the network 102 to extract information about internal host communication (e.g., source IP address, destination IP address, destination port number, communication protocol, etc.) and generate an initial set of rules corresponding to the network communication between a plurality of hosts in the network. These initial set of rules may be used to generate a profile of a host 114 on the network 102. The profile of a host 114 may be comprised of PCSPP rules (i.e., a 3-tuple rule defined by protocol, client, server port, and server profile), PCSP rules (i.e., a 3-tuple rule defined by protocol, client, and server profile), and/or PSP rules (i.e., a 3-tuple rule defined by protocol and server profile).
  • In accordance with aspects of the invention, it may be desirable to identify a core community of interest (i.e., core COI) for each relevant internal host. The core COI may be of a popularity community of interest (i.e., popularity COI) type, frequency community of interest (i.e., frequency COI) type, and/or a combination thereof. It will be apparent to one skilled in the art after review of the entirety disclosed herein, including any disclosure incorporated by reference, that the analysis of network communication in a community of interest contributes to the generation of an initial set of rules for internal hosts on a network.
  • In one example, in step 302, an initial set of rules corresponding to communication originating from a host may be generated based on an analysis of the network communication between a plurality of hosts in the network during a learning period. During the learning period, the traffic on the network 102 may be monitored to generate an set of initial rules. The analysis may begin with a two-dimensional clustering model, where the number of connections per port may be shown on one axis, while the number of destination hosts using that port may be shown on another axis. Then, using a k-means statistical clustering technique known in the art, those ports with substantially more traffic may be partitioned from other ports on the network 102 in an iterative process. The k-means technique may use randomly selected centroid locations, therefore, in one example, the k-means technique may be repeated multiple (e.g., one hundred) times with different centroid locations to determine the solution with the lowest value for the sum of within-cluster point-to-centroid distances. The k-means technique may result in two distinct clusters: the first cluster corresponding to points clustered around low values of number of connection and number of destination hosts, and the second cluster comprised of points that have high values along these dimensions. Thus, the points of the second cluster may be selected as ports for the transport protocol (e.g., TCP, UDP, etc.) being considered. This information may be used in generating PCSPP rules, PCSP rules, and/or PSP rules. Moreover, one skilled in the art will appreciate that log transformation (i.e., transforming the data value for each variable to a logarithmic scale to reduce the effect of outliers at the high end of the value range) and scale standardization (e.g., z-score normalization where variables are normalized on a common scale to avoid one variable from dominating the other in the cluster) may be used in addition to k-means techniques.
  • In another example, in step 302, a set of rules for a profile may also be generated based on data analyzed during a learning period to identify those destination-port pairs that have substantial amounts of traffic on the network 102. For any source hosts communicating with the destination-port pair (i.e., the port on the destination host) a rule may be added to the profile of the source host. In yet another example, a rule may be added to a source host's profile to allow all communication from a source host to all ports on a destination host (e.g., by designating the port as a wildcard in the rule).
  • Once the initial set of rules have been generated, then in step 304 these rules may be updated. The set of rules may be automatically updated to accommodate for known undesirable network communication. For example, it may be desirable to remove any rules in a profile corresponding to TCP communication between two internal hosts that consists of less than three packets in each direction. In another example, it may be desirable to remove any rules in a profile corresponding to UDP communication between two internal hosts that consists of less than two packets in either direction. In yet another example, it may be desirable to not remove any rules corresponding to ICMP data communication. One skilled in the art will appreciate that other updates to the profile of internal hosts are envisioned in accordance with aspects of the invention.
  • In various embodiments of the invention, it may be desirable for the communications management policy for a reverse firewall to be comprised of a profile of the internal hosts and/or a throttling discipline (TD). As described earlier, a reverse firewall may set (in step 306) a TD for out-of-profile network communication from an internal host. In one example, the TD may be used to describe the tolerable rate of out-of-profile communication from an internal host and the action to take when the rate is exceeded. After review of the entirety disclosed herein, one skilled in the art will appreciate that various throttling disciplines are available for use with a reverse firewall.
  • In accordance with aspects of the invention, FIG. 2 depicts a flowchart of a method for securing a network from a host using a reverse firewall. In the illustrative embodiment depicted by FIG. 2, the reverse firewall may be embodied in a network device such as router 112 located on the network 102 and storing a profile of a host 114. The profile of a host 114 is comprised of a set of rules defining the internal exchange of network packets between that host 114 and other hosts (116, 118, and 120) in the network 102. The profile of a host 114 is discussed in greater detail in relation to the description of FIG. 4 below.
  • In step 202, the reverse firewall receives network communication from an internal host 114 (i.e., a host on the internal network 102). The network communication may be the result of an application (e.g., a web browser, instant messenger, etc.) running on the internal host 114. One skilled in the art will recognize that network communication may include any communication between devices on a network. For example, an internal host 114 may be running a telnet program that is exchanging information with another internal host 116 on port 23 using transmission control protocol (TCP). The network communication may also occur using protocols, such as user datagram protocol (UDP), Internet control message protocol (ICMP), dynamic host configuration protocol (DHCP) and other protocols apparent to those skilled in the art. In some embodiments, the reverse firewall may be configured to allow or block network communication based on at least the protocol being used. For example, a reverse firewall may be configured to not block any DHCP traffic from internal hosts. These and other embodiments of aspects of the invention will become apparent to one skilled in the art after review of the entire disclosure.
  • In step 204, the reverse firewall accesses the profile corresponding to the internal host 114 that is the source of the network communication (i.e., internal source host) to determine if the parameters of the network communication (e.g., destination address, destination port, and/or communication protocol) are present in the profile of the internal source host 114. Parameters of network communication include, but are not limited to, destination address, destination port, and communication protocol. If the destination host (i.e., the host corresponding to the destination address) parameter is included in the profile of the internal source host 114, then the network communication from the internal source host 114 to the destination host may be allowed to pass. In addition, if the profile of the internal source host 114 includes information about a port or range of ports on the destination host, then the reverse firewall may also consider the destination port parameter of the network communication in allowing (or blocking) the network communication. Moreover, if the profile of the internal source host 114 includes information about communication protocol, then the reverse firewall may also consider the protocol parameter of the network communication in allowing (or blocking) the network communication. In one embodiment, network communication from a host is in the profile of that host if the destination address (e.g., IP address of the destination host) parameter, destination port (e.g., port 23) parameter, and communication protocol (e.g., UDP) parameter are present in the profile of the host. One skilled in the art will appreciate that numerous variations and/or combinations of the exemplary items (e.g., address, port, protocol, allow/block status, etc.) that may appear in a rule of a profile are envisioned in accordance with aspects of the invention.
  • In an example in accordance with aspects of the invention, an internal source host 114 attempts to send network communication to port 23 of an internal destination host 116 using UDP. The reverse firewall may access the profile corresponding to the internal source host 114 to determine if UDP communication from the internal source host 114 to port 23 on the destination host 116 is allowed in the profile. In one example, assuming the profile contains a rule (or set of rules) allowing UDP communication from the source host 114 to port 23 on the destination host 116, the communication may be allowed (in step 206) to be sent to the destination host 116. In another example, assuming the profile contains a rule (or set of rules) allowing UDP communication from the source host 114 to any port on the destination host 116 (e.g., the port is a wildcard, port is not an item in the profile, etc.), the network communication may be allowed (in step 206) to be sent to the destination host 116. One skilled in the art will appreciate that numerous variations and combinations of the above examples of profile rules (or set of rules) are envisioned in accordance with aspects of the invention.
  • On the other hand, if the network communication from the source host 114 is not in the internal source host's profile (i.e., it is out-of-profile network communication), the reverse firewall may consider additional factors in determining whether to allow or block the network communication from the source host. For example, the reverse firewall may be configured to enforce a throttling discipline (TD) on the network communication (in step 208). A throttling discipline may be used, among other things, to control out-of-profile network communication from a host. Examples of throttling disciplines include, but are not limited to, a n-r-relaxed discipline, a n-r-strict discipline, a n-r-open discipline, combination and/or derivations of these disciplines, and/or other throttling disciplines that will be apparent to one skilled in the art after review of the entire disclosure herein.
  • For example, a n-r-strict throttling discipline blocks all communication, both out-of-profile and in-profile, from an internal host after the number of out-of-profile communications from that internal source host exceed a threshold ‘n’ within a time period ‘r’. Thus, out-of-profile communication is not necessarily always blocked. In one example in accordance with various aspects of the invention, a reverse firewall is enforcing a n-r-strict throttling discipline where the value of ‘n’ is zero. Therefore, all network communication from an internal source host is blocked when an out-of-profile network communication is attempted by the internal source host. A reverse firewall enforcing such a TD might not require a value for ‘r’. A n-r-strict discipline with the value of ‘n’ as zero may result in a highly secure internal network 102 where no out-of-profile communication is allowed.
  • The number of out-of-profile communications may be measured by the number of out-of-profile packets or some other measurable unit that will be apparent to one skilled in the art. For example, flow records (e.g., records generated by some Cisco routers when ‘netflow’ is enabled) grouped into, e.g., 5-minute intervals, may be used to determine the number of out-of-profile communications. Similarly, the packet tracking feature on some routers may be used to measure the number of out-of-profile communications. Furthermore, an out-of-profile counter may be used to track the number of out-of-profile communications sent from an internal host during a time period ‘r’ (e.g., 10 minutes). In an illustrative embodiment, an out-of-profile counter in a reverse firewall may be provided for each host in the internal network 102. When the network communication from an internal host is not in the profile of that host, (in step 210) the out-of-profile counter may be updated, e.g., by incrementing a numeric counter in the out-of-profile counter. The out-of-profile counter is discussed in greater detail in relation to the description of FIG. 4 below.
  • Another example of a throttling discipline includes a n-r-relaxed discipline that allows an internal host to send ‘n’ out-of-profile communications within a time period ‘r’. If the number of out-of-profile communications exceed a threshold ‘n’ within a time period ‘r’, all future communication (both in-profile and out-of-profile) from the internal source host is blocked. When the value of ‘n’ in an n-r-relaxed throttling discipline is zero, the throttling discipline behaves the same as a n-r-strict discipline with the value of ‘n’ as zero. In addition, an out-of-profile counter may be used with this TD similar to that discussed earlier.
  • Yet another example of a throttling discipline includes a n-r-open discipline that allows a threshold of ‘n’ out-of-profile communications within a time period ‘r’. Under this TD, once the threshold has been reached, the reverse firewall blocks all out-of-profile communications from the internal source host. The reverse firewall, however, does not block any of the communication that is in-profile in an n-r-open discipline. In addition, an out-of-profile counter may be used with this TD similar to that discussed earlier. At least one benefit of an n-r-open discipline is the ability for an internal host to continue to function by communicating with other hosts in its profile even after the threshold has been reached. Thus, an internal host may still able to operate a reduced number of network applications.
  • In some throttling disciplines, once a threshold has been reached, a network administrator or operator may be required to manually reset the out-of-profile counter corresponding to the internal host. In an alternative embodiment in accordance with aspects of the invention, a user of the internal source host may be presented with a pop-up dialog box on a visible display screen where the user may authorization the reset of the out-of-profile counter for that host. One skilled in the art will appreciate that in some industries, e.g., banking, that are required to enforce high standards of network security, a pop-up dialog box may be less desirable than a manual reset by an administrator. In another embodiment, the user may be able to use the pop-up dialog box to update the profile of the host to include a rule (or set or rules) for the network communication at issue.
  • In another example in accordance with aspects of the invention, even if the profile contains a rule (or a set of rules) allowing the communication between a source host 114 and a destination host 116 (in step 204), the reverse firewall may still block the communication. The reverse firewall may enforce a throttling discipline (TD) to determine (in step 216) whether to allow or block the in-profile communication from the source host 114. For example, in a reverse firewall enforcing a TD of n-r-relaxed discipline, once the ‘n’ value has been exceeded within a time period ‘r’, all future communication, including both in-profile and out-of-profile communication, from the host is blocked (in step 214). In another example involving a reverse firewall enforcing a TD of n-r-open discipline, the in-profile communication from a network host 114 is allowed (in step 206) regardless of whether the threshold value ‘n’ has been met.
  • In step 212, a reverse firewall enforcing a throttling discipline on the network communication at issue may use, among other things, the out-of-profile counter to determine whether to block (or allow) the network communication. For example, a reverse firewall enforcing a n-r-relaxed discipline with a ‘n’ value of 10 and ‘r’ value of 60 seconds may block (in step 214) all future network communication, including both in-profile and out-of-profile communication, from an internal source host after the TD for that internal source host has been reached. In that example, even if the network communication is in the profile of the internal source host in step 204, the network communication may be blocked (i.e., step 214 may be performed instead of step 206). The out-of-profile counter in this example may contain a flag (e.g., boolean variable) for indicating a blocked state or allow state. In some embodiments, all network communication from an internal source host will continue to be blocked until a network administrator (or equivalent) resets the out-of-profile counter. In another embodiment, the out-of-profile counter may automatically reset after a predetermined amount of time (i.e., block time interval) has elapsed (e.g., 20 minutes). In yet another embodiment, the user of the blocked internal source host may be able to manually reset the out-of-profile counter. One skilled in the art will appreciate that there are various techniques for blocking (in step 214) network communication from an internal host. For example, a reverse firewall may simply refuse to forward (i.e., drop) certain packets to their destination. In another example, address resolution protocol (ARP) may be used to modify mappings stored in tables used by the internal source host to effectively block the appropriate communication from the internal source host.
  • FIG. 4 illustrates a simplified diagram of a portion of a memory unit 400 in a reverse firewall located on a network 102 in accordance with various aspects of the invention. The memory unit 400 may comprise volatile and/or non-volatile memory. The memory unit 400 may store a set of rules 404, 406 corresponding to the profile of a host 114 in the network 102. The memory unit 400 may be part of a network device (e.g., router 112, conventional firewall 104, computing device 120) configured to enforce a profile of a host 114 in a network 102. The same network device may also be configured to enforce a throttling discipline in accordance with various aspects of the invention. For example, the network device may be comprised of a programmable router (e.g., router 112) configured as a reverse firewall. One skilled in the art will appreciate that the memory unit 400 need not necessarily be physically located in a network device. Rather, in accordance with aspects of the invention, the network device may simply access the memory unit to identify the set of rules corresponding to the profile of the host in the network.
  • In the illustrative embodiment in FIG. 4, the profile 402 of an internal host may be comprised of PCSPP rules (i.e., a 3-tuple rule defined by protocol, client, server port, and server profile), PCSP rules (i.e., a 3-tuple rule defined by protocol, client, and server profile), and/or PSP rules (i.e., a 3-tuple rule defined by protocol and server profile). A reverse firewall (e.g., router 112) with a profile of a host 114 comprising a PCSPP rule 404 may use that rule 404 to control network communication sent from an internal source host 114 in the network 102. For example, a reverse firewall receiving network communication from a host 114 with an IP address of 1.1.182.1 may allow the communication if the internal destination host's IP address is 1.1.182.2 and is occurring on port 80 using TCP because that network communication is in the profile of the source host 114. Similarly, a reverse firewall receiving network communication from a host 114 may allow the communication if the destination host's IP address is 1.1.182.2 and is occurring using UDP because that rule 406 defines that network communication to be in the profile of the source host 114. In that example, the profile 402 of the host 114 contained a PCSP rule 406 where the destination port of the communication was not a factor in determining whether the communication was in-profile the host or out-of-profile. Meanwhile, a PSP rule 408 applies to the profile of all source hosts directed at a given destination host (e.g., host 118 with an IP address of 1.1.182.3).
  • A network device configured to enforce a throttling discipline may be coupled to an out-of-profile counter 410. The out-of-profile counter 410 may be used to enforce the throttling discipline. The out-of-profile counter 410 may be comprised of a number and a timer. In other words, the out-of-profile counter 410 may comprise memory for storing the number of out-of-profile communications sent from an internal host 114 and circuitry or computer-executable instructions for use as a clock timer. For example, in a network 102 comprising a reverse firewall (e.g., router 112) and two internal hosts 114, 116 connected to a network device 112, a memory unit 400 may stored an out-of-profile counter 410 may be provided for each of the hosts 114, 116. In enforcing a throttling discipline, the reverse firewall may use the out-of-profile counter to determine whether the threshold level has been reached. One skilled in the art will recognize that an out-of-profile counter in accordance with aspects of the invention may comprise other features, including, but not limited to, a second clock timer for determining when a block time interval, as described earlier, has elapsed.
  • After through review of the entire disclosure, it will become apparent to one skilled in the art that there are numerous practical applications for various aspects of the invention. For example, a computer-readable medium containing computer-executable instructions for performing the method diagrammed in the flowcharts of FIGS. 2 and 3 is contemplated by the aforementioned disclosure. The computer-executable instructions may be executed by a processing unit in a reverse firewall or any other device configured to behave accordingly. The usefulness of aspects of the invention in such a context is apparent to one skilled in the art.
  • The use of the term “connect” and similar referents in the context of describing aspects of the invention, especially in the context of the following claims, is to be construed to require that a physical connection or direct connection. Furthermore, the terms “comprising,” “having,” “including,” and “containing” are to be construed as open-ended terms (meaning “including, but not limited to,”) unless otherwise noted. The use of any and all examples or exemplary language herein (e.g., “such as”) is intended merely to better illuminate the invention and does not pose a limitation on the scope of the invention unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the invention.
  • Various aspects of the invention have been described in terms of exemplary or illustrative embodiments thereof. Numerous other embodiments, modifications and variations within the scope and spirit of the appended claims will occur to persons of ordinary skill in the art from a review of this disclosure and any disclosures incorporated by reference herein.

Claims (20)

1. A method for securing a network using a reverse firewall, the reverse firewall accessing a profile of a host in the network, the method comprising the steps of:
at the reverse firewall, receiving a network communication from a host in the network;
if parameters of the network communication from the host are in the profile of the host, allowing the network communication from the host; and
if parameters of the network communication from the host are not in the profile of the host, enforcing a throttling discipline on the network communication to determine whether to allow or to block the network communication from the host.
2. The method of claim 1, the reverse firewall further comprising an out-of-profile counter for each host in the network, the method further comprising the steps of:
updating the out-of-profile counter for the host, if the parameters of the network communication from the host are not in the profile of the host.
3. The method of claim 2, wherein the throttling discipline is a n-r-relaxed discipline.
4. The method of claim 2, wherein the throttling discipline is a n-r-strict discipline.
5. The method of claim 2, wherein the throttling discipline is a n-r-open discipline for controlling out-of-profile network communication from the host.
6. The method of claim 4, the value of n being zero, and all network communication from the host being blocked when an out-of-profile network communication is attempted by the host.
7. The method of claim 1, the parameters of the network communication from the host being in the profile of the host if the destination address, destination port, and protocol of the network communication are present in the profile of the host.
8. The method of claim 1, the parameters of the network communication from the host being in the profile of the host if the destination address and the destination port of the network communication are present in the profile of the host.
9. The method of claim 1, the parameters of the network communication from the host being in the profile of the host if the destination address of the network communication is present in the profile of the host.
10. A method for determining a communications management policy for a reverse firewall in a network, the method comprising the steps of:
generating a profile for a host in the network; and
setting a throttling discipline for out-of-profile network communication from the host.
11. The method of claim 10, the step of generating a profile of a host including generating an initial set of rules corresponding to network communication originating from the host, and at least some of the initial set of rules are based on an analysis of network communication between a plurality of hosts in the network during a learning period.
12. The method of claim 11, the profile of the host comprising PCSPP rules.
13. The method of claim 11, the profile of the host comprising PCSP rules.
14. The method of claim 11, the profile of the host comprising PSP rules.
15. The method of claim 10, further comprising the step of:
updating the profile of the host in the network, the profile being stored in the reverse firewall.
16. The method of claim 15, the step of updating the profile of the host including automatically updating the set of rules to accommodate for known undesirable network communication.
17. The method of claim 16, the known undesirable network communication comprising at least one of: tcp communication between two hosts in the network that consists of less than three packets in each direction; udp communication between two hosts in the network that consists of less than two packets in either direction; and no icmp data communication.
18. A network device for controlling a network communication sent from a host in a network, the network device configured to enforce a profile of the host and a throttling discipline, the device comprising:
a memory unit storing a set of rules corresponding to the profile of the host in the network, the network device accessing the memory unit to identify the set of rules corresponding to the profile of the host in the network; and
an out-of-profile counter for use by the network device to enforce the throttling discipline.
19. The device of claim 18, the network device comprising a programmable router configured as a reverse firewall, the host in the network being connected to the network device.
20. The device of claim 18 coupled to an out-of-profile-counter, the out-of-profile counter being provided for each host in the network, the profile being stored in the memory unit, and the out-of-profile counter comprising a number and a timer.
US11/290,976 2005-02-17 2005-11-30 Determining firewall rules for reverse firewalls Abandoned US20060190998A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
US11/290,976 US20060190998A1 (en) 2005-02-17 2005-11-30 Determining firewall rules for reverse firewalls
IL173160A IL173160A0 (en) 2005-02-17 2006-01-16 Determining firewall rules for reverse firewalls
CA2533034A CA2533034C (en) 2005-02-17 2006-01-17 Determining firewall rules for reverse firewalls
EP06101659A EP1694026A1 (en) 2005-02-17 2006-02-14 Determining firewall rules for reverse firewalls
US11/616,325 US8453227B2 (en) 2005-02-17 2006-12-27 Reverse firewall with self-provisioning
US13/902,206 US8813213B2 (en) 2005-02-17 2013-05-24 Reverse firewall with self-provisioning

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US65392505P 2005-02-17 2005-02-17
US11/290,976 US20060190998A1 (en) 2005-02-17 2005-11-30 Determining firewall rules for reverse firewalls

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US11/616,325 Continuation-In-Part US8453227B2 (en) 2005-02-17 2006-12-27 Reverse firewall with self-provisioning

Publications (1)

Publication Number Publication Date
US20060190998A1 true US20060190998A1 (en) 2006-08-24

Family

ID=36264048

Family Applications (3)

Application Number Title Priority Date Filing Date
US11/290,976 Abandoned US20060190998A1 (en) 2005-02-17 2005-11-30 Determining firewall rules for reverse firewalls
US11/616,325 Active 2029-09-04 US8453227B2 (en) 2005-02-17 2006-12-27 Reverse firewall with self-provisioning
US13/902,206 Expired - Fee Related US8813213B2 (en) 2005-02-17 2013-05-24 Reverse firewall with self-provisioning

Family Applications After (2)

Application Number Title Priority Date Filing Date
US11/616,325 Active 2029-09-04 US8453227B2 (en) 2005-02-17 2006-12-27 Reverse firewall with self-provisioning
US13/902,206 Expired - Fee Related US8813213B2 (en) 2005-02-17 2013-05-24 Reverse firewall with self-provisioning

Country Status (4)

Country Link
US (3) US20060190998A1 (en)
EP (1) EP1694026A1 (en)
CA (1) CA2533034C (en)
IL (1) IL173160A0 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060190997A1 (en) * 2005-02-22 2006-08-24 Mahajani Amol V Method and system for transparent in-line protection of an electronic communications network
US20090113535A1 (en) * 2007-10-30 2009-04-30 Aruba Networks, Inc. Securely Virtualizating Network Services
US20100162381A1 (en) * 2008-12-19 2010-06-24 International Business Machines Corporation Host trust report based filtering mechanism in a reverse firewall
US20140282914A1 (en) * 2013-03-15 2014-09-18 Netop Solutions A/S System and method for secure application communication between networked processors
US8997076B1 (en) 2007-11-27 2015-03-31 Google Inc. Auto-updating an application without requiring repeated user authorization
US9122859B1 (en) * 2008-12-30 2015-09-01 Google Inc. Browser based event information delivery mechanism using application resident on removable storage device
US11509670B2 (en) * 2018-11-28 2022-11-22 Rapid7, Inc. Detecting anomalous network activity

Families Citing this family (128)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9710852B1 (en) 2002-05-30 2017-07-18 Consumerinfo.Com, Inc. Credit report timeline user interface
US9400589B1 (en) 2002-05-30 2016-07-26 Consumerinfo.Com, Inc. Circular rotational interface for display of consumer credit information
US7467400B1 (en) * 2003-02-14 2008-12-16 S2 Security Corporation Integrated security system having network enabled access control and interface devices
US7877795B2 (en) * 2006-10-30 2011-01-25 At&T Intellectual Property I, Lp Methods, systems, and computer program products for automatically configuring firewalls
US8285656B1 (en) 2007-03-30 2012-10-09 Consumerinfo.Com, Inc. Systems and methods for data verification
US8132166B2 (en) 2007-05-14 2012-03-06 Red Hat, Inc. Methods and systems for provisioning software
US8166534B2 (en) 2007-05-18 2012-04-24 Microsoft Corporation Incorporating network connection security levels into firewall rules
US8266685B2 (en) * 2007-05-18 2012-09-11 Microsoft Corporation Firewall installer
US20080301239A1 (en) * 2007-05-31 2008-12-04 Microsoft Corporation Remote administration of devices and resources using an instant messenger service
US8561058B2 (en) 2007-06-20 2013-10-15 Red Hat, Inc. Methods and systems for dynamically generating installation configuration files for software
US8464247B2 (en) 2007-06-21 2013-06-11 Red Hat, Inc. Methods and systems for dynamically generating installation configuration files for software
US8127986B1 (en) 2007-12-14 2012-03-06 Consumerinfo.Com, Inc. Card registry systems and methods
US9990674B1 (en) 2007-12-14 2018-06-05 Consumerinfo.Com, Inc. Card registry systems and methods
US8336094B2 (en) * 2008-03-27 2012-12-18 Juniper Networks, Inc. Hierarchical firewalls
US8713177B2 (en) 2008-05-30 2014-04-29 Red Hat, Inc. Remote management of networked systems using secure modular platform
US8312033B1 (en) 2008-06-26 2012-11-13 Experian Marketing Solutions, Inc. Systems and methods for providing an integrated identifier
US9256904B1 (en) 2008-08-14 2016-02-09 Experian Information Solutions, Inc. Multi-bureau credit file freeze and unfreeze
US9100297B2 (en) 2008-08-20 2015-08-04 Red Hat, Inc. Registering new machines in a software provisioning environment
US8930512B2 (en) 2008-08-21 2015-01-06 Red Hat, Inc. Providing remote software provisioning to machines
US8838827B2 (en) * 2008-08-26 2014-09-16 Red Hat, Inc. Locating a provisioning server
US9477570B2 (en) 2008-08-26 2016-10-25 Red Hat, Inc. Monitoring software provisioning
US8793683B2 (en) 2008-08-28 2014-07-29 Red Hat, Inc. Importing software distributions in a software provisioning environment
US8244836B2 (en) 2008-08-29 2012-08-14 Red Hat, Inc. Methods and systems for assigning provisioning servers in a software provisioning environment
US8527578B2 (en) 2008-08-29 2013-09-03 Red Hat, Inc. Methods and systems for centrally managing multiple provisioning servers
US9164749B2 (en) * 2008-08-29 2015-10-20 Red Hat, Inc. Differential software provisioning on virtual machines having different configurations
US9021470B2 (en) 2008-08-29 2015-04-28 Red Hat, Inc. Software provisioning in multiple network configuration environment
US8103776B2 (en) 2008-08-29 2012-01-24 Red Hat, Inc. Systems and methods for storage allocation in provisioning of virtual machines
US9952845B2 (en) 2008-08-29 2018-04-24 Red Hat, Inc. Provisioning machines having virtual storage resources
US9111118B2 (en) 2008-08-29 2015-08-18 Red Hat, Inc. Managing access in a software provisioning environment
US8612968B2 (en) 2008-09-26 2013-12-17 Red Hat, Inc. Methods and systems for managing network connections associated with provisioning objects in a software provisioning environment
US8326972B2 (en) 2008-09-26 2012-12-04 Red Hat, Inc. Methods and systems for managing network connections in a software provisioning environment
US8060424B2 (en) 2008-11-05 2011-11-15 Consumerinfo.Com, Inc. On-line method and system for monitoring and reporting unused available credit
US8898305B2 (en) 2008-11-25 2014-11-25 Red Hat, Inc. Providing power management services in a software provisioning environment
US9124497B2 (en) 2008-11-26 2015-09-01 Red Hat, Inc. Supporting multiple name servers in a software provisioning environment
US8775578B2 (en) 2008-11-28 2014-07-08 Red Hat, Inc. Providing hardware updates in a software environment
US8782204B2 (en) 2008-11-28 2014-07-15 Red Hat, Inc. Monitoring hardware resources in a software provisioning environment
US8832256B2 (en) 2008-11-28 2014-09-09 Red Hat, Inc. Providing a rescue Environment in a software provisioning environment
US7933202B2 (en) * 2009-02-03 2011-04-26 Honeywell International Inc. Bounded minimal latency for network resources without synchronization
US8024482B2 (en) * 2009-02-16 2011-09-20 Microsoft Corporation Dynamic firewall configuration
US8402123B2 (en) 2009-02-24 2013-03-19 Red Hat, Inc. Systems and methods for inventorying un-provisioned systems in a software provisioning environment
US9727320B2 (en) 2009-02-25 2017-08-08 Red Hat, Inc. Configuration of provisioning servers in virtualized systems
US8892700B2 (en) * 2009-02-26 2014-11-18 Red Hat, Inc. Collecting and altering firmware configurations of target machines in a software provisioning environment
US20100217944A1 (en) * 2009-02-26 2010-08-26 Dehaan Michael Paul Systems and methods for managing configurations of storage devices in a software provisioning environment
US8413259B2 (en) 2009-02-26 2013-04-02 Red Hat, Inc. Methods and systems for secure gated file deployment associated with provisioning
US8135989B2 (en) * 2009-02-27 2012-03-13 Red Hat, Inc. Systems and methods for interrogating diagnostic target using remotely loaded image
US8572587B2 (en) * 2009-02-27 2013-10-29 Red Hat, Inc. Systems and methods for providing a library of virtual images in a software provisioning environment
US9411570B2 (en) 2009-02-27 2016-08-09 Red Hat, Inc. Integrating software provisioning and configuration management
US8667096B2 (en) 2009-02-27 2014-03-04 Red Hat, Inc. Automatically generating system restoration order for network recovery
US8990368B2 (en) 2009-02-27 2015-03-24 Red Hat, Inc. Discovery of network software relationships
US9558195B2 (en) 2009-02-27 2017-01-31 Red Hat, Inc. Depopulation of user data from network
US8640122B2 (en) 2009-02-27 2014-01-28 Red Hat, Inc. Systems and methods for abstracting software content management in a software provisioning environment
US9940208B2 (en) 2009-02-27 2018-04-10 Red Hat, Inc. Generating reverse installation file for network restoration
US8417926B2 (en) 2009-03-31 2013-04-09 Red Hat, Inc. Systems and methods for providing configuration management services from a provisioning server
WO2010132492A2 (en) 2009-05-11 2010-11-18 Experian Marketing Solutions, Inc. Systems and methods for providing anonymized user profile data
US9250672B2 (en) 2009-05-27 2016-02-02 Red Hat, Inc. Cloning target machines in a software provisioning environment
US9134987B2 (en) 2009-05-29 2015-09-15 Red Hat, Inc. Retiring target machines by a provisioning server
US9621516B2 (en) * 2009-06-24 2017-04-11 Vmware, Inc. Firewall configured with dynamic membership sets representing machine attributes
US9047155B2 (en) 2009-06-30 2015-06-02 Red Hat, Inc. Message-based installation management using message bus
US8560604B2 (en) 2009-10-08 2013-10-15 Hola Networks Ltd. System and method for providing faster and more efficient data communication
US8825819B2 (en) 2009-11-30 2014-09-02 Red Hat, Inc. Mounting specified storage resources from storage area network in machine provisioning platform
US10133485B2 (en) 2009-11-30 2018-11-20 Red Hat, Inc. Integrating storage resources from storage area network in machine provisioning platform
US9106624B2 (en) * 2010-05-16 2015-08-11 James Thomas Hudson, JR. System security for network resource access using cross firewall coded requests
US9147042B1 (en) 2010-11-22 2015-09-29 Experian Information Solutions, Inc. Systems and methods for data verification
US9665854B1 (en) 2011-06-16 2017-05-30 Consumerinfo.Com, Inc. Authentication alerts
US9483606B1 (en) 2011-07-08 2016-11-01 Consumerinfo.Com, Inc. Lifescore
US9106691B1 (en) 2011-09-16 2015-08-11 Consumerinfo.Com, Inc. Systems and methods of identity protection and management
US8738516B1 (en) 2011-10-13 2014-05-27 Consumerinfo.Com, Inc. Debt services candidate locator
US8572404B2 (en) * 2011-11-04 2013-10-29 Honeywell International Inc. Security and safety manager implementation in a multi-core processor
US9853959B1 (en) 2012-05-07 2017-12-26 Consumerinfo.Com, Inc. Storage and maintenance of personal data
CN103389979B (en) * 2012-05-08 2018-10-12 深圳市世纪光速信息技术有限公司 Recommend system, the device and method of classified lexicon in input method
US9654541B1 (en) 2012-11-12 2017-05-16 Consumerinfo.Com, Inc. Aggregating user web browsing data
US9916621B1 (en) 2012-11-30 2018-03-13 Consumerinfo.Com, Inc. Presentation of credit score factors
US10255598B1 (en) 2012-12-06 2019-04-09 Consumerinfo.Com, Inc. Credit card account data extraction
US9697263B1 (en) 2013-03-04 2017-07-04 Experian Information Solutions, Inc. Consumer data request fulfillment system
US8972400B1 (en) * 2013-03-11 2015-03-03 Consumerinfo.Com, Inc. Profile data management
US10102570B1 (en) 2013-03-14 2018-10-16 Consumerinfo.Com, Inc. Account vulnerability alerts
US9870589B1 (en) 2013-03-14 2018-01-16 Consumerinfo.Com, Inc. Credit utilization tracking and reporting
US9406085B1 (en) 2013-03-14 2016-08-02 Consumerinfo.Com, Inc. System and methods for credit dispute processing, resolution, and reporting
US9633322B1 (en) 2013-03-15 2017-04-25 Consumerinfo.Com, Inc. Adjustment of knowledge-based authentication
US10664936B2 (en) 2013-03-15 2020-05-26 Csidentity Corporation Authentication systems and methods for on-demand products
US10685398B1 (en) 2013-04-23 2020-06-16 Consumerinfo.Com, Inc. Presenting credit score information
US9721147B1 (en) 2013-05-23 2017-08-01 Consumerinfo.Com, Inc. Digital identity
US9443268B1 (en) 2013-08-16 2016-09-13 Consumerinfo.Com, Inc. Bill payment and reporting
US9241044B2 (en) 2013-08-28 2016-01-19 Hola Networks, Ltd. System and method for improving internet communication by using intermediate nodes
US10102536B1 (en) 2013-11-15 2018-10-16 Experian Information Solutions, Inc. Micro-geographic aggregation system
US10325314B1 (en) 2013-11-15 2019-06-18 Consumerinfo.Com, Inc. Payment reporting systems
US9477737B1 (en) 2013-11-20 2016-10-25 Consumerinfo.Com, Inc. Systems and user interfaces for dynamic access of multiple remote databases and synchronization of data based on user rules
US9529851B1 (en) 2013-12-02 2016-12-27 Experian Information Solutions, Inc. Server architecture for electronic data quality processing
US10262362B1 (en) 2014-02-14 2019-04-16 Experian Information Solutions, Inc. Automatic generation of code for attributes
USD760256S1 (en) 2014-03-25 2016-06-28 Consumerinfo.Com, Inc. Display screen or portion thereof with graphical user interface
USD759689S1 (en) 2014-03-25 2016-06-21 Consumerinfo.Com, Inc. Display screen or portion thereof with graphical user interface
USD759690S1 (en) 2014-03-25 2016-06-21 Consumerinfo.Com, Inc. Display screen or portion thereof with graphical user interface
US9892457B1 (en) 2014-04-16 2018-02-13 Consumerinfo.Com, Inc. Providing credit data in search results
US10373240B1 (en) 2014-04-25 2019-08-06 Csidentity Corporation Systems, methods and computer-program products for eligibility verification
US20160057206A1 (en) * 2014-08-19 2016-02-25 International Business Machines Corporation Application profile to configure and manage a software defined environment
US9686237B2 (en) 2014-08-19 2017-06-20 International Business Machines Corporation Secure communication channel using a blade server
CN104408890B (en) * 2014-11-05 2017-10-27 国家电网公司 The alert processing method and device of power system
US9787638B1 (en) * 2014-12-30 2017-10-10 Juniper Networks, Inc. Filtering data using malicious reference information
US11057446B2 (en) 2015-05-14 2021-07-06 Bright Data Ltd. System and method for streaming content from multiple servers
US9553891B1 (en) * 2015-07-27 2017-01-24 Bank Of America Corporation Device blocking tool
US9736152B2 (en) 2015-07-27 2017-08-15 Bank Of America Corporation Device blocking tool
US9628480B2 (en) 2015-07-27 2017-04-18 Bank Of America Corporation Device blocking tool
CN110383319B (en) 2017-01-31 2023-05-26 益百利信息解决方案公司 Large scale heterogeneous data ingestion and user resolution
US10498754B2 (en) * 2017-06-09 2019-12-03 Verizon Patent And Licensing Inc. Systems and methods for policing and protecting networks from attacks
US10567379B2 (en) 2017-06-26 2020-02-18 Bank Of America Corporation Network switch port access control and information security
US10484380B2 (en) 2017-06-26 2019-11-19 Bank Of America Corporation Untrusted network device identification and removal for access control and information security
US10462134B2 (en) 2017-06-26 2019-10-29 Bank Of America Corporation Network device removal for access control and information security
US10567433B2 (en) 2017-07-06 2020-02-18 Bank Of America Corporation Network device authorization for access control and information security
US10609064B2 (en) 2017-07-06 2020-03-31 Bank Of America Corporation Network device access control and information security
US10320804B2 (en) 2017-07-26 2019-06-11 Bank Of America Corporation Switch port leasing for access control and information security
US10462141B2 (en) 2017-07-26 2019-10-29 Bank Of America Corporation Network device information validation for access control and information security
US10375076B2 (en) 2017-07-26 2019-08-06 Bank Of America Corporation Network device location information validation for access control and information security
US10469449B2 (en) 2017-07-26 2019-11-05 Bank Of America Corporation Port authentication control for access control and information security
US10609672B2 (en) 2017-07-28 2020-03-31 Bank Of America Corporation Network device navigation using a distributed wireless network
US10104638B1 (en) 2017-07-28 2018-10-16 Bank Of America Corporation Network device location detection and monitoring using a distributed wireless network
US10383031B2 (en) 2017-07-28 2019-08-13 Bank Of America Corporation Zone-based network device monitoring using a distributed wireless network
LT3767493T (en) 2017-08-28 2023-03-10 Bright Data Ltd. Method for improving content fetching by selecting tunnel devices
US10911234B2 (en) 2018-06-22 2021-02-02 Experian Information Solutions, Inc. System and method for a token gateway environment
US10972461B2 (en) 2018-08-28 2021-04-06 International Business Machines Corporation Device aware network communication management
US10880313B2 (en) 2018-09-05 2020-12-29 Consumerinfo.Com, Inc. Database platform for realtime updating of user data from third party sources
US10963434B1 (en) 2018-09-07 2021-03-30 Experian Information Solutions, Inc. Data architecture for supporting multiple search models
US11315179B1 (en) 2018-11-16 2022-04-26 Consumerinfo.Com, Inc. Methods and apparatuses for customized card recommendations
US11238656B1 (en) 2019-02-22 2022-02-01 Consumerinfo.Com, Inc. System and method for an augmented reality experience via an artificial intelligence bot
EP3750079A4 (en) 2019-02-25 2022-01-12 Bright Data Ltd System and method for url fetching retry mechanism
WO2020202135A2 (en) * 2019-04-02 2020-10-08 Luminati Networks Ltd. System and method for managing non-direct url fetching service
US11941065B1 (en) 2019-09-13 2024-03-26 Experian Information Solutions, Inc. Single identifier platform for storing entity data
CN114205073B (en) * 2020-09-17 2023-01-17 北京航空航天大学 Password reverse firewall and security defense method thereof
US11880377B1 (en) 2021-03-26 2024-01-23 Experian Information Solutions, Inc. Systems and methods for entity resolution

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5835726A (en) * 1993-12-15 1998-11-10 Check Point Software Technologies Ltd. System for securing the flow of and selectively modifying packets in a computer network
US5950195A (en) * 1996-09-18 1999-09-07 Secure Computing Corporation Generalized security policy management system and method
US6009475A (en) * 1996-12-23 1999-12-28 International Business Machines Corporation Filter rule validation and administration for firewalls
US6098172A (en) * 1997-09-12 2000-08-01 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with proxy reflection
US6141749A (en) * 1997-09-12 2000-10-31 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with stateful packet filtering
US6154775A (en) * 1997-09-12 2000-11-28 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules
US6170012B1 (en) * 1997-09-12 2001-01-02 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with cache query processing
US6349336B1 (en) * 1999-04-26 2002-02-19 Hewlett-Packard Company Agent/proxy connection control across a firewall
US20020133586A1 (en) * 2001-01-16 2002-09-19 Carter Shanklin Method and device for monitoring data traffic and preventing unauthorized access to a network
US6484261B1 (en) * 1998-02-17 2002-11-19 Cisco Technology, Inc. Graphical network security policy management
US6510509B1 (en) * 1999-03-29 2003-01-21 Pmc-Sierra Us, Inc. Method and apparatus for high-speed network rule processing
US6609196B1 (en) * 1997-07-24 2003-08-19 Tumbleweed Communications Corp. E-mail firewall with stored key encryption/decryption
US6826694B1 (en) * 1998-10-22 2004-11-30 At&T Corp. High resolution access control
US6954790B2 (en) * 2000-12-05 2005-10-11 Interactive People Unplugged Ab Network-based mobile workgroup system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6529938B1 (en) * 1999-08-06 2003-03-04 International Business Machines Corporation Method, system, and program for executing operations on a client in a network environment
US7069330B1 (en) * 2001-07-05 2006-06-27 Mcafee, Inc. Control of interaction between client computer applications and network resources
US6798741B2 (en) * 2001-12-05 2004-09-28 Riverstone Networks, Inc. Method and system for rate shaping in packet-based computer networks
US20040068559A1 (en) * 2002-10-04 2004-04-08 Shaw Terry D. Method for detection of unauthorized computer system usage

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5835726A (en) * 1993-12-15 1998-11-10 Check Point Software Technologies Ltd. System for securing the flow of and selectively modifying packets in a computer network
US5950195A (en) * 1996-09-18 1999-09-07 Secure Computing Corporation Generalized security policy management system and method
US6009475A (en) * 1996-12-23 1999-12-28 International Business Machines Corporation Filter rule validation and administration for firewalls
US6609196B1 (en) * 1997-07-24 2003-08-19 Tumbleweed Communications Corp. E-mail firewall with stored key encryption/decryption
US6170012B1 (en) * 1997-09-12 2001-01-02 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with cache query processing
US6154775A (en) * 1997-09-12 2000-11-28 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules
US6141749A (en) * 1997-09-12 2000-10-31 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with stateful packet filtering
US6098172A (en) * 1997-09-12 2000-08-01 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with proxy reflection
US6484261B1 (en) * 1998-02-17 2002-11-19 Cisco Technology, Inc. Graphical network security policy management
US6826694B1 (en) * 1998-10-22 2004-11-30 At&T Corp. High resolution access control
US6510509B1 (en) * 1999-03-29 2003-01-21 Pmc-Sierra Us, Inc. Method and apparatus for high-speed network rule processing
US6349336B1 (en) * 1999-04-26 2002-02-19 Hewlett-Packard Company Agent/proxy connection control across a firewall
US6954790B2 (en) * 2000-12-05 2005-10-11 Interactive People Unplugged Ab Network-based mobile workgroup system
US20020133586A1 (en) * 2001-01-16 2002-09-19 Carter Shanklin Method and device for monitoring data traffic and preventing unauthorized access to a network

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060190997A1 (en) * 2005-02-22 2006-08-24 Mahajani Amol V Method and system for transparent in-line protection of an electronic communications network
US8949965B2 (en) * 2007-10-30 2015-02-03 Aruba Networks, Inc. Securely virtualizating network services
US20090113535A1 (en) * 2007-10-30 2009-04-30 Aruba Networks, Inc. Securely Virtualizating Network Services
US9325666B2 (en) * 2007-10-30 2016-04-26 Aruba Networks, Inc. Securely virtualizating network services
US20150229606A1 (en) * 2007-10-30 2015-08-13 Aruba Networks, Inc. Securely virtualizating network services
US8997076B1 (en) 2007-11-27 2015-03-31 Google Inc. Auto-updating an application without requiring repeated user authorization
US8819808B2 (en) 2008-12-19 2014-08-26 International Business Machines Corporation Host trust report based filtering mechanism in a reverse firewall
US8375435B2 (en) 2008-12-19 2013-02-12 International Business Machines Corporation Host trust report based filtering mechanism in a reverse firewall
US20100162381A1 (en) * 2008-12-19 2010-06-24 International Business Machines Corporation Host trust report based filtering mechanism in a reverse firewall
US9122859B1 (en) * 2008-12-30 2015-09-01 Google Inc. Browser based event information delivery mechanism using application resident on removable storage device
US9262147B1 (en) 2008-12-30 2016-02-16 Google Inc. Recording client events using application resident on removable storage device
US20140282914A1 (en) * 2013-03-15 2014-09-18 Netop Solutions A/S System and method for secure application communication between networked processors
US10200352B2 (en) * 2013-03-15 2019-02-05 Netop Solutions A/S System and method for secure application communication between networked processors
US11025605B2 (en) * 2013-03-15 2021-06-01 Netop Solutions A/S System and method for secure application communication between networked processors
US20210273933A1 (en) * 2013-03-15 2021-09-02 Netop Solutions A/S System and method for secure application communication between networked processors
US11575663B2 (en) * 2013-03-15 2023-02-07 Netop Solutions A/S System and method for secure application communication between networked processors
US20230155994A1 (en) * 2013-03-15 2023-05-18 Netop Solutions A/S System and method for secure application communication between networked processors
US11750589B2 (en) * 2013-03-15 2023-09-05 Netop Solutions A/S System and method for secure application communication between networked processors
US11509670B2 (en) * 2018-11-28 2022-11-22 Rapid7, Inc. Detecting anomalous network activity

Also Published As

Publication number Publication date
CA2533034C (en) 2011-01-11
US20070204338A1 (en) 2007-08-30
US8453227B2 (en) 2013-05-28
US8813213B2 (en) 2014-08-19
CA2533034A1 (en) 2006-08-17
US20130263244A1 (en) 2013-10-03
IL173160A0 (en) 2006-06-11
EP1694026A1 (en) 2006-08-23

Similar Documents

Publication Publication Date Title
CA2533034C (en) Determining firewall rules for reverse firewalls
US10135864B2 (en) Latency-based policy activation
US9210193B2 (en) System and method for flexible network access control policies in a network environment
US7832009B2 (en) Techniques for preventing attacks on computer systems and networks
Barbosa et al. Flow whitelisting in SCADA networks
Mcdaniel et al. Enterprise Security: A Community of Interest Based Approach.
EP3487144A1 (en) Malicious domain scoping recommendation system
US9531673B2 (en) High availability security device
EP1678615A2 (en) Policy-based network security management
Kyaw et al. Pi-IDS: evaluation of open-source intrusion detection systems on Raspberry Pi 2
JP2010268483A (en) Active network defense system and method
US20140380457A1 (en) Adjusting ddos protection
US20200259860A1 (en) Method and system for providing ddos protection by detecting changes in a preferred set of hierarchically structured items in stream data
US20090235355A1 (en) Network intrusion protection system
KR20020072618A (en) Network based intrusion detection system
Chomsiri et al. A stateful mechanism for the tree-rule firewall
Abdulkadhim et al. Boosting the network performance using two security measure scenarios for service provider network
Nie et al. Intrusion detection using a graphical fingerprint model
US20050147037A1 (en) Scan detection
US20230319078A1 (en) System and method for detecting and mitigating port scanning attacks
Poornima et al. A study on denial of service attacks in cluster based web servers
Pattinson et al. Trojan detection using MIB-based IDS/IPS system
Sudarsan et al. Performance Evaluation of Data Structures in implementing Access Control Lists
Sadok et al. RIP–A robust IP access architecture
Liu Design and implement of common network security scanning system

Legal Events

Date Code Title Description
AS Assignment

Owner name: AT&T CORP., NEW JERSEY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:AIELLO, WILLIAM A;KALMANEK, JR, CHARLES R;MCDANIEL, PATRICK;AND OTHERS;REEL/FRAME:017603/0149;SIGNING DATES FROM 20060225 TO 20060504

AS Assignment

Owner name: AT&T PROPERTIES, LLC, NEVADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AT&T CORP.;REEL/FRAME:023138/0599

Effective date: 20090821

Owner name: AT&T INTELLECTUAL PROPERTY II, L.P., NEVADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AT&T PROPERTIES, LLC;REEL/FRAME:023138/0624

Effective date: 20090821

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: AT&T CORP., NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE NAME OF THE SECOND NAMED ASSIGNOR, CHARLES ROBERT KALMANEK, JR. PREVIOUSLY RECORDED ON REEL 017603 FRAME 0149. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNORS:AIELLO, WILLIAM A.;KALMANEK, CHARLES ROBERT, JR.;MCDANIEL, PATRICK;AND OTHERS;SIGNING DATES FROM 20060225 TO 20060504;REEL/FRAME:064305/0889