Information security – Policy
Reexamination Certificate
2006-12-14
2010-12-07
Gergiso, Techane J (Department: 2437)
Information security
Policy
C713S153000
Reexamination Certificate
active
07849497
ABSTRACT:
Described herein are a method and system for analyzing the security of a computer network. According to various implementations, there is a device adapter associated with each device that has a significant impact on the security of the network (e.g., routers, switches, gateways, or “significant hosts”). The device adapter, which may be implemented as a piece of software executing remotely from the device, queries the device to determine what its security settings are (e.g., its firewall rules). The device adapter conducts the query using whichever form of communication the device requires (e.g., telnet, HTTP) and using whichever command set the device requires. Each type of device on the network has a software model associated with it. For example, there may be a router model, a switch model, a firewall model, and a gateway model. The model is made up of a series of rule sets. Each rule set includes rules that are derived from the configuration of the device (obtained by the device adapter). The rules are expressed in a canonical rule set language. A global view of the security policy of the network is generated based on the modeled behaviors of the security devices (i.e., devices that have an impact on security) of the network, and is displayed on a user interface.
REFERENCES:
patent: 6513721 (2003-02-01), Salmre et al.
patent: 6535227 (2003-03-01), Fox et al.
patent: 6795862 (2004-09-01), Keohane et al.
patent: 6990513 (2006-01-01), Belfiore et al.
patent: 7003562 (2006-02-01), Mayer
patent: 7596803 (2009-09-01), Barto et al.
patent: 2002/0021675 (2002-02-01), Feldmann
patent: 2002/0093527 (2002-07-01), Sherlock et al.
patent: 2002/0118642 (2002-08-01), Lee
patent: 2003/0110262 (2003-06-01), Hasan et al.
patent: 2004/0019807 (2004-01-01), Freund
patent: 2004/0064727 (2004-04-01), Yadav
patent: 2004/0215978 (2004-10-01), Okajo et al.
patent: 2004/0250156 (2004-12-01), Weichselbaum
patent: 2005/0268080 (2005-12-01), Quang et al.
patent: 2006/0075503 (2006-04-01), Bunker et al.
patent: 2007/0157286 (2007-07-01), Singh et al.
Al-Shaer et al., “Firewall Policy Advisor for Anomaly Detection, Rules Editing and Translation,” IEEE/IFIP Integrated Management IM'2003 (2003).
Al-Shaer et al., “Management and Translation of Filtering Security Policies,” IEEE International Conference on Communications (May 2003).
Al-Shaer et al., “Discovery of Policy Anomalies in Distributed Firewalls,” IEEE INFOCOM'04, pp. 2605-2616 (Mar. 2004).
Al-Shaer et al., “Modeling and Management of Firewall Policies,” IEEE Transactions on Network and Service Management, 1(1) (Apr. 2004).
Al-Shaer et al., “Conflict Classification and Analysis of Distributed Firewall Policies,” IEEE Journal on Selected Areas in Communications (JSAC), 23(10), pp. 2069-2084 (2005).
Bartal et al., “Firmato: A Novel Firewall Management Toolkit,” Technical Report EES2003-1, Dept. of Electrical Engineering Systems, Tel Aviv University (2003).
Bellovin, “Distributed Firewalls,” ;login:, pp. 37-39 (Nov. 1999).
Eppstein et al., “Internet Packet Filter Management and Rectangle Geometry,” Symp. on Discrete Algorithms, pp. 827-835 (2001).
Eronen et al., “An Expert System for Analyzing Firewall Rules,” Proc. of the 6th Nordic Workshop on Secure IT Systems (NordSec 2001), pp. 100-107 (2001).
Hamed et al., “Taxonomy of Conflicts in Network Security Policies,” IEEE Communications Magazine, 44(3) (Mar. 2006).
Hazelhurst et al., “Binary Decision Diagram Representations of Firewall and Router Access Lists,” Technical Report TR-Wits-CS-1998-3, University of the Witwatersrand, Johannesburg, South Africa (Oct. 1998).
Hazelhurst et al., “Algorithms for Analyzing Firewall and Router Access Lists,” Proc. of the International Conference on Dependable Systems and Networks (DSN'00), pp. 576-585 (2000).
Liu et al., “Firewall Queries,” Proceedings of the 8th International Conference on Principles of Distributed Systems, LNCS 3544, T. Higashino Ed., Springer-Verlag, pp. 124-139 (Dec. 2004).
Mayer et al., “Fang: A Firewall Analysis Engine,” Proc. of IEEE Symp. on Security and Privacy, pp. 177-187 (2000).
Schuba et al., “A Reference Model for Firewall Technology,” Spartan Symposium (Mar. 1997).
Wool, “A Quantitative Study of Firewall Configuration Errors,” IEEE Computer, 37(6) pp. 62-67 (Jun. 2004).
Wool, “Architecting the Lumeta Firewall Analyzer,” Proceedings of the 10thUSENIX Security Symposium, Washington, D.C. (Aug. 2001).
Xie,et al. “On Static Reachability Analysis of IP Networks,” Proceedings of IEEE Infocom'05 (Mar. 2005).
Yuan et al., “Fireman: A Toolkit for Firewall Modeling and Analysis,” Proceedings of 2006 IEEE Symposium on Security and Privacy, Oakland, CA, (May 2006).
Hurst David
Raghavan Vijaya
Yerasi Chandrasekhara Reddy
Athena Security, Inc.
Drinker Biddle & Reath LLP
Gergiso Techane J
LandOfFree
Method and system for analyzing the security of a network does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for analyzing the security of a network, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for analyzing the security of a network will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4220711