Electrical computers and digital processing systems: multicomput – Multiple network interconnecting
Reexamination Certificate
2006-03-21
2006-03-21
Harvey, Jack B. (Department: 2141)
Electrical computers and digital processing systems: multicomput
Multiple network interconnecting
C709S248000, C713S152000
Reexamination Certificate
active
07016980
ABSTRACT:
A method and apparatus are disclosed for analyzing the operation of one or more network gateways, such as firewalls or routers, that perform a packet filtering function in a network environment. Given a user query, the disclosed firewall analysis tool simulates the behavior of the various firewalls, taking into account the topology of the network environment, and determines which portions of the services or machines specified in the original query would manage to reach from the source to the destination. The relevant packet-filtering configuration files are collected and an internal representation of the implied security policy is derived. A graph data structure is used to represent the network topology. A gateway-zone graph permits the firewall analysis tool to determine where given packets will travel in the network, and which gateways will be encountered along those paths. In this manner, the firewall analysis tool can evaluate a query object against each rule-base object, for each gateway node in the gateway-zone graph that is encountered along each path between the source and destination. A graphical user interface is provided for receiving queries, such as whether one or more given services are permitted between one or more given machines, and providing results. A spoofing attack can be simulated by allowing the user to specify where packets are to be injected into the network, which may not be the true location of the source host-group.
REFERENCES:
patent: 5146560 (1992-09-01), Goldberg et al.
patent: 5490252 (1996-02-01), Macera et al.
patent: 5726979 (1998-03-01), Henderson et al.
patent: 5898830 (1999-04-01), Wesinger, Jr. et al.
patent: 5968176 (1999-10-01), Nessett et al.
patent: 6182226 (2001-01-01), Reid et al.
patent: 6298445 (2001-10-01), Shostack et al.
patent: 6453419 (2002-09-01), Flint et al.
patent: 0 854 605 (1998-07-01), None
Hinrichs et al. “Policy-Based Management: Bridging the Gap,” Computer Security Applications Conference, IEEE Comput. Soc, 209-218 (Dec. 1999).
Mayer et al., “Fang: A Firewall Analysis Engine,” Security and Privacy Proceedings, IEEE Symposium, 177-187 (May 2000).
Mayer Alain
Wool Avishai
Ziskind Elisha
Harvey Jack B.
Lucent Technologies - Inc.
LandOfFree
Method and apparatus for analyzing one or more firewalls does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for analyzing one or more firewalls, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for analyzing one or more firewalls will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3588208