US20060041936A1 - Method and apparatus for graphical presentation of firewall security policy - Google Patents

Method and apparatus for graphical presentation of firewall security policy Download PDF

Info

Publication number
US20060041936A1
US20060041936A1 US10/922,500 US92250004A US2006041936A1 US 20060041936 A1 US20060041936 A1 US 20060041936A1 US 92250004 A US92250004 A US 92250004A US 2006041936 A1 US2006041936 A1 US 2006041936A1
Authority
US
United States
Prior art keywords
destination
firewall
address
entry
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/922,500
Inventor
Brooke Anderson
William Bunn
Mary Karnes
Sarah Lieberman
Mira Wilczek
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kyndryl Inc
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US10/922,500 priority Critical patent/US20060041936A1/en
Publication of US20060041936A1 publication Critical patent/US20060041936A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LIEBERMAN, SARAH M., ANDERSON, BROOKE MADSEN, BUNN, WILLIAM C., KARNES, MARY, WILCZEK, MIRA E.
Priority to US13/430,186 priority patent/US8701177B2/en
Assigned to KYNDRYL, INC. reassignment KYNDRYL, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INTERNATIONAL BUSINESS MACHINES CORPORATION
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/75Indicating network or usage conditions on the user display

Definitions

  • the invention relates generally to computer networks, and deals more particularly with a technique to graphically present data flows, vulnerabilities and misconfigurations in a firewall.
  • an enterprise intranet is considered known and trusted because it houses internal communications within the enterprise. While this intranet communicates with an external network environment either to transmit or receive data communications, the intranet generally will not need to receive inbound communications directly from an untrusted networks.
  • An extranet comprises known but untrusted network environments, such as “Demilitarized Zones (“DMZ”),” “Service networks” and “Business to Business (B2B) interconnections.” These networks are semi-secure because the owners and users are generally known but not trusted. There are also external unknown and untrusted networks such as the Open Internet. These are the riskiest types of networks with which to communicate.
  • DZ Demilitarized Zones
  • B2B Business to Business
  • a firewall is a network device that can protect a variety of networks by inspecting, filtering and blocking data which flows to and through the network.
  • the firewall can be installed between known and trusted networks, known and untrusted networks, and unknown and untrusted networks.
  • a firewall is comprised of a routing engine and filters to screen out unwanted data communications.
  • the firewall is responsible for enforcing a security policy for incoming and outgoing communications.
  • the security policy may define the types of networks the known network is permitted to communicate and what protocols are permitted for the communications. For example, the firewall may only permit communications between the intranet and the enterprise's “DMZ”, which is located between a trusted internal and untrusted and unknown external network.
  • An enterprise's DMZ is comprised of servers and other related devices that are supplied and managed by the enterprise, but generally do not contain unencrytped sensitive data. Therefore, if the servers in the enterprise's DMZ are corrupted by a communication from another, untrusted network, the damage is limited. Because the management of these DMZ servers is performed by the enterprise itself, a measure of security exists in the enterprise DMZ which does not exist in the Open Internet. There are cases when a network does not have a firewall in which case it connects directly to other networks through a router.
  • firewalls deny traffic to and from networks, it can more granularly limit traffic between networks by limiting which hosts have access to communicate to or from network entities. These hosts are considered sophisticated enough to avoid receipt of damaging messages. These hosts are listed in a firewall ruleset. The firewall checks the ruleset for host identifiers (ex. IP Address or hostname) before permitting the communications. Audits of these rulesets are necessary to understand which hosts have outbound connectivity and determine if any of the rules violate a pre-specified corporate security mandate.
  • a third way a firewall can limit traffic between networks is by communication protocols and ports.
  • the most common communication protocols are TCP, UDP and ICMP.
  • Each of these protocols includes usage criteria such as the range of ports used by TCP and UDP for certain types of requests.
  • the TCP and UDP ports indicate which applications in the recipient device should provide the requested services. It is desirable in some cases to limit the range of ports for certain types of communications.
  • the limitation on the range of ports facilitates the handling of the requested service. For example, many programs are written to open any available TCP or UDP port. This makes the identification of the application using such a port difficult. In some such cases it is possible to restrict the range of ports available to these applications to assist in identifying which application is using the port. It may be preferable for some networks to not allow communication using an application requiring an unlimited range of TCP or UDP ports.
  • the protocols also may specify the types of ICMP which are permitted.
  • Example types are Echo Request (which sends a ping), Echo Reply (which responds to a ping) and Host Unreachable.
  • Some networks may not wish to accept certain types of ICMP messages. For example, some destination networks deny Echo Request messages from untrusted networks because they are potential denial of service attacks.
  • TCP provides “handshaking” for every communication whereas UDP does not. So, TCP is more controllable and trustworthy than UDP. Therefore, some networks may not want to accept UDP communications. It was known for an administrator to check whether the firewall permits incoming UDP communications, and if so, report a security violation. These checks were performed by reviewing the firewall access control lists or by sniffing traffic.
  • the security policy of a firewall also may prohibit certain message flows, such as those involving certain versions of Telnet and the Berkely R commands (rshell, rlogin) because these protocols have known security holes. It was known for a systems administrator to check if the firewall permits such message flows, and if so, report a security violation. These checks were performed by reviewing the firewall access control lists or by sniffing traffic.
  • firewall rules should be verified regularly to ensure they conform to the enterprise security policy, are configured properly and function as intended. Traditionally, this is completed manually by a systems administrator or a person outside of the day-to-day operations of the firewall such as a security administrator. The systems administrator or security administrator reviews each firewall rule to confirm the network type of each IP address and ensure that the data flows configured in the firewall are acceptable according to the enterprise security policy. While this technique is effective, it requires tedious, human review of the configuration information from each network with which communication is desired, and there can be many such networks. Routers and firewalls of networks are often changed, and this may require the systems administrator or security administrator to repeat the foregoing investigation.
  • a Solsoft computer program (by Solsoft Inc.) was known to display a diagram of networks connected to each other, and firewalls within the networks. This program includes an option to color code each of the networks. This option was commercially used (more than one year ago) to color code each network based on the security level of the network. This known color coding was blue for a most secure intranet, green for protected DMZ or Service network, yellow for a DMZ or Service network and red for an insecure network such as the Open Internet.
  • EP 1119151A2 to Alain et al. disclose a computer program which displays a graphical representation of a network; the data flows of the network can be determined through a series of queries.
  • An object of the present invention is to improve the process of reporting data flows, data flow vulnerabilities, data flow misconfigurations and improper firewall settings.
  • the invention resides in a system, method and computer program product for reporting a data flow in a firewall.
  • a graphical representation of the firewall and a network coupled to the firewall is generated and displayed.
  • a number of an inbound port of the network is displayed.
  • An arrow adjacent to the port number pointing toward the network is displayed to indicate that a communication is permitted to the port.
  • the port number and the arrow are located between an icon for the network and an icon for the firewall.
  • a port number of a destination of a communication originating from the network is displayed. Also, another arrow adjacent to the destination port number pointing toward the firewall is displayed to indicate that a communication is permitted to the destination port number.
  • the destination port number and the other arrow are located between an icon for the network and an icon for the firewall.
  • the invention also resides in a system, method and program product for reporting data flow vulnerabilities in a firewall.
  • a table including definitions of a plurality of rules is generated and displayed. Each of the definitions includes an entry for a source IP address of a permitted but vulnerable data flow, an entry for a destination IP address of the permitted but vulnerable data flow, and an entry for a protocol or destination port of the permitted but vulnerable data flow.
  • the source IP address entry in the table is color coded to indicate a security level of a source network containing the source IP address.
  • the destination IP address entry in the displayed table is color coded to indicate a security level of a destination network containing the destination IP address.
  • the definition for each of the rules includes both the entry for the protocol and the entry for the destination port.
  • the entry for the protocol and/or the entry for the destination port is color coded to indicate a severity of the vulnerability.
  • the table also includes other definitions of another plurality of rules.
  • Each of the other definitions including an entry for a source IP address of a vulnerable, denied data flow, an entry for a destination address of the vulnerable, denied data flow, and an entry for a protocol or destination port of the vulnerable, denied data flow.
  • the source IP address entry in the table is color coded to indicate a security level of a source network containing the source IP address of the vulnerable, denied data flow.
  • the destination IP address entry in the table is color coded to indicate a security level of a destination network containing the destination IP address of the vulnerable, denied data flow.
  • the invention also resides in a system, method and computer program product for reporting data flow misconfigurations in a firewall.
  • a table including definitions of a plurality of rules is generated and displayed. Each of the definitions includes an entry for a source IP address of a permitted but misconfigured data flow, an entry for a destination IP address of the permitted but misconfigured data flow, and an entry for a protocol or destination port of the permitted but misconfigured data flow.
  • the source IP address entry in the table is color coded to indicate a security level of a source network containing the source IP address.
  • the destination IP address entry in the table is color coded to indicate a security level of a destination network containing the destination IP address.
  • the definition for each of the rules includes both the entry for the protocol and the entry for said destination port.
  • the entry for the protocol or the entry for the port is color coded to indicate a severity of the misconfiguration.
  • the invention also resides in a system, method and computer program product for reporting improper settings in a firewall.
  • a table including descriptions and security-risk severity ratings of a respective plurality of settings of the firewall is generated and displayed. Some or all of the settings are improper.
  • the security-risk ratings or descriptions of the improper settings are color coded to indicate respective security-risk severities of the improper settings.
  • FIG. 1 is a block diagram of multiple, interconnected networks in which the present invention can be used, and includes a firewall security checking server to execute a security checking program according to the present invention.
  • FIG. 2 is a more detailed block diagram of FIG. 1 illustrating the specific program functions within the security checking program.
  • FIG. 3 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to gather information about the data flow configuration of firewall.
  • FIG. 4 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to determine information about zones interconnected by the firewall, and the interfaces for each zone.
  • FIG. 5 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to determine data flows through each interface of the firewall.
  • FIG. 6 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to determine vulnerabilities in the data flows through the firewall.
  • FIG. 7 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to determine misconfigurations in the data flows through the firewall.
  • FIG. 8 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to determine improper settings (other than data flows) of firewall.
  • FIGS. 9 (A) and 9 (B) form a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to display a network diagram, vulnerabilities and misconfigurations in the data flows through the firewall, and improper settings on the firewall itself.
  • FIG. 10 is an example of a network diagram generated by the program function of FIGS. 9 (A) and 9 (B).
  • FIG. 11 is an example of a vulnerability table generated and displayed by the program function of FIGS. 9 (A) and 9 (B).
  • FIG. 12 is an example of a misconfiguration table generated and displayed by the program function of FIGS. 9 (A) and 9 (B).
  • FIG. 13 is an example of an improper settings table generated and displayed by the program function of FIGS. 9 (A) and 9 (B).
  • FIG. 14 is an example of a printout of vulnerability findings for firewall 21 , by the program function of FIGS. 9 (A) and 9 (B).
  • FIG. 15 is an example of a printout of misconfiguration findings for firewall 21 , by the program function of FIGS. 9 (A) and 9 (B).
  • FIG. 16 is an example of a printout of improper settings of firewall 21 , by the program function of FIGS. 9 (A) and 9 B).
  • FIG. 1 illustrates four networks 11 - 14 .
  • Network 13 has a firewall 21 which filters communications between network 13 and networks 11 and 12 .
  • network 13 is a secure, (“Blue”) enterprise intranet
  • network 12 is a semi-secure (“Yellow”) DMZ
  • network 11 is semi-trusted (“Green”) network (from the point of view of network 13 ).
  • network 14 is an untrusted network such as the Open Internet, and is coupled to DMZ network 12 via another firewall 22 of DMZ network 12 .
  • the present invention can be used with a wide variety of networks.
  • Network 13 comprises a firewall management computer 50 which manages firewall 21 .
  • the management functions include authorization, logging, and remote administration.
  • Network 13 also comprises a firewall security checking server 51 which is responsible for checking the security policy within firewall 21 and reporting any vulnerabilities, misconfigurations and problems in settings. (Alternately, firewall security checking server 51 could exist on a standalone network.)
  • Network 13 also comprises one or more servers 29 and workstations (not shown).
  • Network 11 comprises one or more servers 31 which can communicate with server 29 via firewall 21 .
  • network 12 comprises one or more servers 32 which can communicate with server 29 via firewall 21 .
  • Network 14 comprises one or more servers 34 which can communicate with servers 32 via firewall 22 .
  • FIG. 2 illustrates a firewall security checking program 100 within firewall security checking server 51 .
  • Security checking program 100 identifies all data flows and highlights vulnerable and misconfigured data flows and improper firewall settings permitted by firewall 21 , and then displays them as described below.
  • Security checking program 100 includes the following program functions or modules.
  • a program function 110 gathers configuration information about firewall 21 needed to determine the data flows, vulnerabilities and misconfigurations.
  • a program function 112 gathers firewall interface and zone/network information for each firewall, such as which types of networks connect to firewall 21 . The interface and zone information is needed to correlate a set of data flow rules to the proper firewall interface and adjacent zone/network.
  • the different types of networks include a “Blue” zone such as the enterprise intranet, a “Green” zone such as a network accessible only to semi-trusted entities such as business partners, a “Yellow” zone such as a DMZ for an intranet, and a “Red” zone such as the Internet.
  • a program function 120 checks data flow rules for each interface, such as what protocols and ports should be permitted to/through the interface.
  • a program function 130 determines vulnerabilities in data flows such as use of vulnerable communication programs, protocols and ports.
  • a program function 140 determines misconfigurations in data flows such as when the firewall permits two contradictory rules.
  • a program function 150 determines errors in settings within the firewall unrelated to data flow rules, such as settings for an SNMP function (for notification and management of events) and administration of the firewall 21 .
  • a program function 160 controls a computer display to graphically present the data flows, vulnerabilities and misconfigurations in a manner which effectively shows the data flows, vulnerabilities and misconfigurations to the user.
  • program function 110 requests and gathers configuration information about the firewall 21 needed to determine data flows, vulnerabilities and misconfigurations within firewall 21 .
  • the configuration information comprises a set of firewall data flow rules, firewall settings, authentication methods and information about the security level of each zone/network connected to the firewall.
  • a Cisco Pix firewall specifies a security level of an adjacent zone by a number 0-100 where “0” is the lowest security, i.e. the (red) Internet, and “100” is the highest security, i.e. the (blue) intranet. Because the green zone has a higher security representation than the yellow zone, it would accordingly be represented by a higher number.
  • the firewall “rules” specify which data flows are permitted and not permitted (a) into the firewall, (b) out of the firewall and (c) through the firewall, i.e. from one firewall interface to another firewall interface.
  • a “data flow” may be defined by a source IP address, destination IP address, IP protocol and port number of a communication.
  • the firewall “interfaces” indicate a physical connection to a network and therefore define the networks which are serviced by the firewall.
  • Program function 110 obtains the configuration information by request (for example by secure shell or e-mail from an administrator) directly from configuration files within firewall 21 , or by request from firewall management console 50 (step 302 ). After gathering the information, program function 110 stores the configuration information as a configuration table or file 304 in storage 305 (step 306 ).
  • program function 112 gathers zone/network information needed to determine data flows, vulnerabilities and misconfigurations within firewall 21 .
  • program function 112 reads from storage 305 , the configuration file 304 generated by program function 110 .
  • program function 112 parses the file 304 to identify the firewall 21 interfaces (steps 402 and 404 ).
  • program function 112 determines if the configuration file 304 contains other network information, such as the range of IP addresses for each network, the IP address of each device in the network, and description of routing to networks not directly connected to firewall 21 (step 406 ). If configuration file 304 does not contain all of this network information, then program function 112 queries the user to input the missing network information (step 408 ).
  • program function 112 determines if the configuration file 304 indicates a numerical security level of each zone (decision 410 ). If not, then program function 112 queries the user to input the numerical security level of each zone, preferably the numerical value on a scale of one to one hundred; similar to security rankings used by the Cisco PIX firewall (step 412 ). If the configuration file contains the security level information of each zone, or after the user enters the zone security level information, program function 112 “collates” the zone information, i.e. associates with each firewall interface the security levels of each zone or remote network. Then, program function 112 writes the collated zone information to a zone table 404 in storage 305 (step 414 ).
  • program function 120 analyses data flow rules for each interface.
  • Program function 120 operates as follows. In step 502 , the data flow checking program function 120 reads the firewall interface and zone information from the zone table 404 . Program function 120 also reads data flow rules from the configuration file 304 . Then, program function 120 selects one of the firewall interfaces to begin a data flow rule checking to correlate to each interface, the rules that apply to the interface (step 506 ). Assuming there is still an interface yet to be analyzed for firewall 21 (decision 508 , no branch), program function 120 reads the first rule (step 510 ), and determines if it is associated with the interface currently being evaluated (decision 512 ). This determination is made by evaluating IP addresses or access list names.
  • program function 120 If the rule is associated with the interface currently being evaluated (decision 512 , yes branch), program function 120 writes the rule to a data flow checking table 514 (step 526 ). However, if the rule is not so associated or after step 516 , program function 120 determines if this is the last rule in the ruleset to consider (decision 520 ). If not (decision 520 , no branch), then program function 120 loops back to step 510 to select the next rule in the ruleset and determine whether it is associated with the interface currently being evaluated. Steps 510 , 512 , 516 and 520 are repeated for each rule in the ruleset.
  • program function 120 determines from data flow checking table 514 if any rules from the ruleset were found to be associated with the current interface being evaluated (decision 524 ). If not, program function 120 writes default behavior to the data flow checking table 514 for this interface (step 526 ). The default behavior comprises logic of the specific firewall type, for example, how it handles null rulesets.
  • program function 120 loops back to step 506 to repeat the foregoing steps 508 , 510 , 512 , 516 , 520 , 524 and 526 for the next interface of firewall 21 .
  • program function 120 determines if any rules in the ruleset have not been found to be associated with an interface of firewall 21 (decision 530 ). If so, program function 130 writes default behavior to data flow checking table 514 (step 532 ). The default behavior comprises logic of the specific firewall type, for example, how it handles rules that have not been associated with an interface. However, if program function 120 has found all of the rules of the ruleset to be associated with an interface of firewall 21 (or after step 532 ), then program function 120 has completed its checking, and proceeds to step 602 to invoke program function 130 .
  • FIG. 6 illustrates program function 130 in detail.
  • program function 130 determines data flow vulnerabilities such as use of vulnerable communication programs, protocols and ports for certain firewall interfaces and their respective zones.
  • a vulnerability database 603 in storage 305 is maintained with current information.
  • the vulnerability database 603 lists known data flow vulnerabilities based on type of service, protocol, port number, respective zones, and other factors.
  • FIG. 7 illustrates program function 140 in detail.
  • program function 140 determines data flow misconfigurations such as when two or more firewall rules contradict each other, two or more firewall rules are redundant of each other or when a firewall rule specifies a source zone or destination zone that is not consistent with the interfaces of the firewall.
  • program function 140 reads the contents of data flow checking table 514 which contains each rule in the ruleset for firewall 21 .
  • program function 140 analyses a first data flow rule in 514 for “interface/zone” consistency, i.e. consistency with its interface and respective zones (step 704 ).
  • program function 140 checks if the source IP address is in the source zone for the specified interface. Also, for outbound rules, program function 140 checks if the destination IP address is in the destination zone for the specified interface. As another example of processing in step 704 , program function 140 checks if the source IP address and destination IP address are in the same network. As another example of processing in step 704 , program function 140 checks if there are any data flows terminating at the firewall itself. Next, program function 140 checks the first one of the data flow rules for “rule” redundancy, i.e. redundancy with another data flow rule considered in a previous iteration of program function 140 (step 706 ).
  • program function 140 checks the first data flow rule for “rule” contradiction, i.e. contradiction with a previous one of the data flow rules considered in a previous iteration of program function 140 (step 708 ).
  • program function 140 compares the first data flow rule in table 514 for any other type of misconfiguration such as “superset” redundancy where one rule encompasses another rule, making it unnecessary to include this other rule in the rule set (step 710 ).
  • program function 140 checks if the source IP address is not reachable from the source zone of any firewall interface, making it impossible for this rule to apply. As another example of processing in step 710 , program function 140 checks if the destination IP address is not reachable through a destination zone for any interface of the firewall, making it impossible for this rule to apply.
  • program function 140 For each zone inconsistency, rule redundancy, rule contradiction, or other type of misconfiguration (decision 720 , yes branch), program function 140 writes the rule into a misconfiguration table 730 (step 732 ). If the current rule has no zone inconsistency, rule redundancy, rule contradiction, or other type of misconfiguration or after step 732 , program function 140 loops back to step 704 to evaluate the next rule in data flow checking table 514 (decision 740 , no branch), i.e. repeats the foregoing steps 704 , 706 , 708 , 710 , 720 , 732 and 740 . After all the rules have been evaluated (decision 740 , yes branch), then program function 140 has completed its evaluation, and proceeds to step 802 to invoke program function 150 .
  • FIG. 8 illustrates program function 150 in detail.
  • program function 150 determines errors in other firewall settings unrelated to data flow rules, such as settings related to an SNMP function (for notification and management of events) and administration of the firewall 21 .
  • program function 150 determines usage of improper keys in SNMP, absence of default keys for SNMP, and improper length to SNMP password strings (to access files within the firewall).
  • Program function 150 also determines whether there is proper specification of what information should be logged, whether banners indicating that the network is secure should be displayed, and whether the administrator must authenticate himself or herself to an authentication server before obtaining access to the firewall. Then program function 150 compares this information for the first setting to a list of improper settings maintained in findings database 810 (step 804 ).
  • program function 150 If the actual setting matches an improper setting (decision 806 , yes branch), then program function 150 writes the improper actual setting into an improper actual setting database 830 (step 832 ). If the first one of the settings was proper (decision 806 yes branch) or after step 832 , if there is another actual setting to evaluate (decision 836 , no branch), program function 150 loops back to step 804 to review the next actual setting, as described above. After all the actual settings have been evaluated, program function 150 has completed its evaluation, so it invokes program function 160 at step 902 .
  • FIGS. 9 (A) and 9 (B) illustrate program function 160 in detail.
  • program function 160 controls a computer display to graphically present the data flows, vulnerabilities and misconfigurations in a manner which effectively shows the vulnerabilities and misconfigurations to the user.
  • program function presents to a user four different options for display.
  • the first option (leading to branch 905 ) is to display a network diagram illustrating the various firewalls, interfaces and networks/zones with the type of each network/zone indicated by blue, green, yellow or red coloration or other representative color coding of a network icon.
  • each network icon is a “cloud”.
  • the network diagram also indicates for each interface, adjacent to the interface, a list of the permitted (or “active”) port types, port numbers and by arrow, the direction of the permitted communication through each port.
  • the network diagram also indicates for each firewall, the total number of problematic rules of each type, i.e. data flow vulnerabilities, data flow misconfigurations and improper settings.
  • FIG. 10 illustrates an example of a network diagram corresponding to a portion of the computer system of FIG. 1 , from the vantage point of firewall 21 , i.e. firewall 21 and the networks 11 , 12 and 13 connected to firewall 21 .
  • the three networks or “zones” 11 , 12 , and 13 connected to the firewall 21 are color-coded according to their security levels.
  • FIG. 10 is shown in black and white pursuant to USPTO rules, although in actuality, the network icons, flow arrows and certain port numbers are colored to provide associated information.
  • the network icon for blue network 13 is colored blue
  • the network icon for yellow network 12 is colored yellow
  • the network icon for green network 11 is colored green.
  • Each network icon is labeled with its network, network address translation (“NAT”) information (if any), and its numerical security level.
  • NAT network address translation
  • blue zone network 13 is a secure company intranet
  • green zone network 11 is a trusted network
  • red zone network 21 is an untrusted network such as the Internet
  • yellow zone network 12 is a DMZ network separating the blue zone network from the untrusted, red zone Internet.
  • the color coding will correspond to a reverse rainbow, with blue being the most secure network, and red the most insecure (typically the Internet).
  • the blue zone network 13 has security level of one hundred
  • the green zone network 11 has security level of seventy
  • the yellow zone network 12 has security level of fifty. The higher the security level, the more secure the network.
  • FIG. 10 also illustrates a summary pie chart 1035 labeled with the total number of data flow vulnerabilities, data flow misconfigurations, and improper firewall settings for firewall 21 .
  • Each section of the pie is labeled with the total number of findings of the corresponding type. If the user selects any of the pie sections, for example, by clicking with a mouse button, the corresponding table (see FIGS. 11-13 ) will be displayed. For example, if the section labeled “Firewall Settings Four” is clicked, then a firewall settings table would be displayed such as the one illustrated in FIG. 13 . In this example, the displayed firewall settings table has four improper firewall setting entries in all.
  • FIG. 10 also illustrates two sets of port numbers adjacent to each network; one set specifies the inbound ports used by this network to receive a communication from other networks, and the other set specifies the destination ports specified in communications from this network to other networks.
  • These ports are the ports of a network device which receives the communication, for example, a web server, a database server or a mail server.
  • firewall 21 reviews the port specified in each communication sent to the firewall en route to the destination network, and filters that communication if specified in the associated firewall rule.
  • network 13 uses port numbers 22 , 23 , 25 and 123 to receive communications from other networks, and sends communications to port numbers 23 , 80 and 443 of other networks.
  • Network 12 uses port number 23 to receive communications, and sends communications to port numbers 22 , 25 , 80 and 123 of other networks.
  • Network 11 uses port numbers 23 , 25 , 80 and 443 to receive communications, and sends communications to port numbers 23 and 123 of other networks.
  • the port numbers on each port list are color-coded according to the severity of the associated vulnerability finding made by program function 130 .
  • a black number has no associated vulnerability.
  • a green number is a low vulnerability, a yellow number is medium vulnerability, and a red number is high vulnerability.
  • the same port number may have different vulnerability ratings depending on the direction of flow, host-to-host limitation, or other factors.
  • Inbound port 22 of network 13 is color coded green to represent a low severity level of vulnerability.
  • Inbound port 123 and destination port 23 of network 13 are color coded yellow to represent an intermediate severity level of vulnerability.
  • Inbound ports 23 and 25 of network 13 are color coded red to represent a high severity level of vulnerability.
  • Destination ports 22 and 123 of network 12 are color coded green to represent a low severity level of vulnerability.
  • Inbound port 23 and destination port 25 of network 12 are color coded red to represent a high severity level of vulnerability.
  • Inbound port 23 and destination port 123 of network 11 are color coded yellow to represent an intermediate severity level of vulnerability.
  • Inbound port 25 and destination port 23 of network 11 are color coded red to represent a high severity level of vulnerability.
  • FIG. 10 also illustrates by arrows the data flows/communications between zones.
  • colored arrows represent flows into and flows out of the zone, for the corresponding sets of ports shown at the source of the arrow.
  • the color of a flow arrow corresponds to the security of the zone which is sending the communication in the case of an inbound communication (the arrows point towards the respective network clouds), and corresponds to the security of the zone which is receiving the communication in the case of an outbound communication (the arrows point towards the firewall).
  • the ports listed next to each set of color-coded flow arrows of the same direction include all flows in that direction.
  • the port associated with that communication will be listed in the inbound port list for the blue zone 13 at the source of the incoming flow arrows. For example, if SSH (TCP port 22 ) is allowed from yellow to blue, then the SSH port number will appear in the list of inbound ports next to the flow arrows for the blue zone 13 , even when SSH is not permitted to flow from the green zone to the blue zone.
  • SSH TCP port 22
  • a yellow arrow 1011 pointing toward the blue zone network 13 represents all flows originating in the yellow zone network 12 and sent to one or more of ports 22 , 23 , 25 and 123 of the blue zone network 13 .
  • a green arrow 1013 pointing towards the blue zone network 13 represents all flows originating in the green zone network 11 and sent to one or more of ports 22 , 23 , 25 and 123 of the blue zone network 13 .
  • a green arrow 1027 pointing away from blue zone network 13 represents all flows originating in the blue zone network 13 and sent to one or more of ports 23 , 80 and 443 of the green zone network 11 .
  • a yellow arrow 1025 pointing away from blue zone network 13 represents all flows originating in the blue zone network 13 and sent to one or more of ports 23 , 80 and 443 of the yellow zone network 12 .
  • a green arrow 1015 pointing toward the yellow zone network 12 represents all flows originating in the green zone network 11 and sent to port 23 of the yellow zone network 12 .
  • a blue arrow 1017 pointing toward the yellow zone network 12 represents all flows originating in the blue zone network 13 and sent to port 23 of the yellow zone network 13 .
  • a green arrow 1019 pointing away from the yellow zone network 12 represents all flows originating in the yellow zone network 12 and sent to one or more of ports 22 , 25 , 80 and 123 of the green zone network 11 .
  • a blue arrow 1021 pointing away from the yellow zone network 12 represents all flows originating in the yellow zone network 12 and sent to one or more of ports 22 , 25 , 80 and 123 of the blue zone network 13 .
  • a yellow arrow 1029 pointing toward the green zone network 11 represents all flows originating in the yellow zone network 12 and sent to one or more of ports 23 , 25 , 80 and 443 of the green zone network 21 .
  • a blue arrow 1031 pointing toward the green zone network 11 represents all flows originating in the blue zone network 13 and sent to one or more of ports 23 , 25 , 80 and 443 of the green zone network 11 .
  • a yellow arrow 1033 pointing away from green zone network 11 represents all flows originating in the green zone network 11 and sent to one or more of ports 23 and 123 of the yellow zone network 12 .
  • a blue arrow 1023 pointing away from green zone network 11 represents all flows originating in the green zone network 11 and sent to one or more of ports 23 and 123 of the blue zone network 13 . (In an alternate embodiment of the present invention, for each arrow into each zone/network there is a separate list of ports, shown at the source of the arrow, used for the communication represented by the arrow.)
  • the user can scroll over the respective colored arrow(s), in this example, arrow 1011 .
  • arrow 1011 As the mouse passes over the arrow, a box will pop up with a list of only the ports/services flowing between the two zones represented by the arrow.
  • a window such as pop up window 1101
  • the vulnerability information for a flow includes a description of the finding, (such as shown in pop up window 1101 ), the relevant line number(s) from the configuration file 304 , recommendations for the administrator, and other information.
  • the user may click on a colored port number in any port list.
  • a window will pop up containing the vulnerability information for that flow only.
  • the vulnerability information for a specific port/service includes the same information described above.
  • Each security zone may have non-dataflow features that can be determined from the loaded configuration file 304 . These features may include routing information, the location of logging and other special-purpose servers, etc.
  • the basic network diagram does not display this information. However, if the user wishes to examine these additional features, the user may click on the network icon (cloud) to bring it into “focus.” When a network is in “focus”, all such additional information is graphically displayed.
  • the existence of the firewall 22 can be deduced from the configuration file 304 of the firewall 21 . It will appear as a router on the sample network diagram ( FIG. 10 ) when the yellow zone 12 is brought into focus. If different zones are brought into focus, different information will be revealed. If, for example, the blue zone 13 is brought into focus (not shown), the user will see a type of authentication server and its IP address attached to the blue zone 13 .
  • the second option is to display a table which lists each of the rules in the ruleset for a specified firewall, and the rules which represent data flow vulnerabilities.
  • FIG. 11 illustrates an example of a vulnerability table for firewall 21 .
  • FIG. 11 is shown in black and white pursuant to USPTO rules, although in actuality, some of the entries as described below are colored to provide associated information.
  • the Rule Number column identifies the order in which the rules are processed by the firewall. For each of the rules there is an entry for (a) security rating, (b) rule number, (c) source IP address for the data flow, (d) destination IP address for the data flow, (e) IP protocol, (f) port and (g) rule action.
  • the entry for the source IP address is color coded indicating the type of source network/zone, for example, blue, green, yellow or red. (If the type of source network for the source IP address is not limited, then the entry for the source IP address is “any” and is not color coded to indicate all networks connected to the firewall.)
  • the source IP addresses for rules 1 , 2 , 3 , 10 , 11 and 13 are color coded blue
  • the source IP addresses for rules 5 , 9 and 12 are color coded yellow
  • the source IP addresses for rules 6 and 14 are color coded green.
  • the entry for the destination IP address is color coded indicating the type of destination network/zone, for example, blue, green, yellow or red.
  • the destination IP addresses for rules 1 , 2 , 3 , 9 and 12 are color coded blue
  • the destination IP addresses for rules 4 , 6 , 7 , 8 , 10 , 11 , 13 and 14 are color coded yellow
  • the rule number is highlighted to indicate a hyperlink, the security rating entry is listed as high, medium or low and color coded red, yellow or green, respectively, to indicate the severity of the problem.
  • rule numbers 4 , 5 , 9 and 12 are color coded blue, and have color coded security rating entries.
  • the Protocol column refers to protocols within the IP suite. The most common IP suite protocols used are TCP, UDP and ICMP.
  • the Rule Action column identifies if the communication flow is being allowed or denied.
  • Rules that have a vulnerability have a hyperlink that when clicked pops up a window that provides an explanation of the vulnerability. If the user selects any of these rule entries, for example, by clicking with a mouse button, program tool 160 displays additional information about the rule and a recommendation on how to fix a vulnerability problem, if any, associated with the rule. In the example of FIG. 11 , the user has clicked on “Rule 5 ”, and in response, pop up window 1041 is displayed.
  • the additional information comprises a description of vulnerability and mitigation recommendations. Examples of recommendations are as follows: remove rule, rewrite rule, upgrade patch level, use alternate protocol(s). The additional information about each type of problem and the recommendation of how to fix each type of problem were previously entered into a recommendations database 950 .
  • the third option is to display a table which lists each of the rules in the ruleset for the firewall, and also indicates the rules which represent data flow misconfigurations.
  • FIG. 12 illustrates an example of a misconfiguration table for firewall 21 .
  • FIG. 11 is shown in black and white pursuant to USPTO rules, although in actuality, some of the entries as described below are colored to provide associated information.
  • the Rule Number column identifies the order in which the rules are processed by the firewall. For each of the rules there is an entry for (a) security rating, (b) rule number, (c) source IP address for the data flow, (d) destination IP address for the data flow, (e) IP protocol, (f) port and (g) rule action.
  • the table displays the complete ruleset and identifies all rules that have been found to have rule inconsistencies, contradictions and redundancies.
  • the Security Rating column gives a rating of each configuration issue identified. These ratings are based on what effect the rule has on the network. For any of the rules for which program function 140 has identified a data flow configuration problem, there is an “low”, “medium” or “high” entry for the security rating, and color coding of the security rating entry indicating the severity of the configuration problem, for example, green, yellow or red, respectively. The lower the security rating, the lesser the effect on the network caused by the misconfiguration. For any of the rules for which program function 140 has identified a data flow configuration problem, there is also highlighting of the respective rule number to indicate a hyperlink.
  • rules 3 , 7 , 8 , 10 , 13 and 14 have been highlighted.
  • Rules that have a misconfiguration have a hyperlink that when clicked pops up a window that provides an explanation of the misconfiguration. If the user selects any of these rule entries, for example, by clicking with a mouse button, program tool 160 displays additional information about the rule and a recommendation on how to fix the problem. In the example, the user has clicked rule 8 , and in response, a pop up window 1051 has been displayed.
  • the additional information comprises a description of the vulnerability and mitigation recommendations. Examples of recommendations are as follows: remove rule, rewrite rule, upgrade patch level, use alternate protocol(s).
  • the additional information about each type of problem and the recommendation of how to fix each type of problem were previously entered into the recommendations database 950 .
  • the entries in the Source IP address(es) column and Destination IP Address(es) columns are color-coded based upon the type of their zone.
  • the color red identifies an Internet (unknown and untrusted) network.
  • the color yellow identifies an extranet (known but untrusted, i.e. semi-secure) network.
  • the color green identifies a protected extranet (known and semi-trusted) network.
  • the color blue identifies an intranet (known and trusted) network.
  • the entries for the source IP addresses for rules 1 , 2 , 3 , 8 , 10 , 11 and 13 are color coded blue
  • the entries for the source IP addresses 5 , 7 , 9 and 12 are color coded yellow
  • the source IP addresses for the entries for rules 6 and 14 are color coded green.
  • the entries for the destination IP addresses for rules 1 , 2 , 3 , 9 and 12 are color coded blue
  • the entries for the destination IP addresses 4 , 6 , 7 , 8 , 10 , 11 , 13 and 14 are color coded yellow.
  • rules 7 , 8 , 10 , 13 , and 14 create inconsistencies, contradictions and redundancies between rules.
  • rule 3 is considered a medium risk because it allows access to the firewall on TCP port 49 .
  • Firewall rules should never allow flows to the firewall with the exception of management communications.
  • the Protocol column refers to protocols within the IP suite. The most common IP suite protocols used are TCP, UDP and ICMP.
  • the Rule Action column identifies if the communication flow is being allowed or denied.
  • the fourth option (branch 980 ) is to display a table which lists each of the (nondataflow) settings for the firewall.
  • FIG. 13 illustrates an example of a firewall settings table for firewall 21 .
  • the firewall settings table identifies the security rating of each firewall setting and whether the firewall setting is improper.
  • the Security Rating column gives a rating of each setting which is identified. There are three types of security ratings, Low, Medium, and High. For any of the settings for which program functions 140 has identified as improper, there is a “high”, “medium” or “low” entry for the security rating, and color coding of the security rating entry indicating the severity of the problem, for example, red, yellow or green, respectively. These ratings are based on impact of and difficulty to exploit the setting.
  • the example firewall setting, “Outside interface security level 100 , Inside interface security level 0 ,” is actually improper but has a low rating, assuming the rules associated with each interface are correct. This is because the rules govern the access through the interface.
  • a typical medium setting, color-coded in yellow, would have moderate impact on the firewall.
  • the example firewall setting, “SNMP community “SNMPkey,” is considered a medium setting because it would allow an attacker to easily guess the community string and gain SNMP access to the firewall.
  • FIG. 13 the example firewall setting, “Outside interface security level 100 , Inside interface security level 0 ,” is actually improper but has a low rating, assuming the rules associated with each interface are correct. This is because the rules govern the access through the interface.
  • a typical medium setting, color-coded in yellow, would have moderate impact on the firewall.
  • the example firewall setting “Logging buffered notifications,” is considered a high setting because the firewall logs are buffered on the firewall.
  • the buffer fills up, the buffer starts to write over older logs.
  • overflow prevents a good history of events and an accurate record in case a computer forensics investigation is required.
  • Each rating has a hyperlink that when clicked pops up a window that provides an explanation of the configuration setting and recommendations.
  • program tool 160 displays additional information about the setting and a recommendation on how to fix the problem.
  • the additional information comprises a description of the vulnerability and mitigation recommendations. Examples of recommendations are as follows: reconfigure SNMP to use private strings, use the authentication to access firewall management, and turn off unnecessary services.
  • the additional information about each type of problem and the recommendation of how to fix each type of problem were previously entered into database 950 . After presenting the options to the user in step 902 , the user selects one of the options in step 904 .
  • program function 160 reads the zone table 404 to determine which firewall(s) and their interfaces interconnect which networks/zones (step 906 ).
  • Program function 160 has in storage, (a) a predetermined “cloud” icon to represent each network/zone, (b) a predetermined firewall icon to represent each firewall in the composite network, and (c) a predetermined connector line to connect each firewall to the networks/zones which it interconnects.
  • program function 160 From the zone table information and using the predefined icons and a graphical knowledge base to layout the cloud icons so they do not overlap one another and are adjacent to their respective interfaces, program function 160 generates the portion of the network diagram illustrating the interfaces and their respective networks/zones (step 910 ). Also from the zone table 404 , program function 160 learns the security level of each zone, and then color codes the zone icon accordingly, i.e. blue, green, yellow or red (step 914 ). Next, program function 160 reads the data flow checking table 514 to determine the ports used for communication through each firewall to and from the respective networks/zones (step 915 ), and the direction of each data flow (step 916 ).
  • Program function 160 uses this information to list the port numbers adjacent to the displayed firewall icons and generate arrows indicating the direction of the permitted communication through the ports (step 920 ).
  • program function 160 reads the data flow misconfiguration database 730 and found vulnerability database 610 and improper actual setting database 830 to determine the total number of findings (step 922 ).
  • program function 160 displays these numbers adjacent to the respective firewall (step 924 ) in the form of pie chart 1035 .
  • program function 160 displays the resulting network diagram on display screen 49 to the user (step 930 ).
  • step 940 program function 160 reads the data flow checking table 514 to determine the data flows permitted through each interface (step 942 ). For each permitted data flow, the data flow checking table 514 indicates the source IP address, destination IP address, firewall interface, protocol, port, rule action and direction of data flow through the interface. Then, program function 160 begins to build the vulnerability table containing, for each data flow, the rule number, source IP address, destination IP address, and rule action (step 943 ).
  • program function 160 reads the zone table 404 to determine the security level of each of the networks/zones containing the source IP addresses and each of the networks/zones containing the destination IP addresses (step 944 ). Then, program function 160 color codes the source IP address entries and destination IP address entries accordingly, i.e. blue, green, yellow and red (step 946 ). Then, program function 160 reads from the configuration table the type of protocol and port number used for each of the data flows and adds the protocol and port number to the vulnerability table (step 948 ). Then, program function 160 reads the found-vulnerability database 610 to determine which of the rules pose a vulnerability (step 950 ).
  • program function 160 assigns to each vulnerable rule a severity level based on a severity table, and color codes the protocol entry according to the severity level, i.e. red, yellow or green (step 952 ). Finally, program function 160 displays the vulnerability table on display screen 49 (step 954 ). If requested, program function 160 will also printout the information in the vulnerability table (step 956 ).
  • step 962 program function 160 reads the data flow checking 514 to determine the data flows permitted through each interface (step 962 ). For each permitted data flow, the data flow checking table 514 indicates the source IP address, destination IP address, firewall interface, protocol, port, rule action and direction of data flow through the interface. Then, program function 160 begins to build the misconfiguration table containing, for each data flow, the rule number, source IP address, destination IP address, protocol, port and rule action (step 963 ).
  • program function 160 reads the zone table 404 to determine the security level of each of the networks/zones containing the source IP addresses and each of the networks/zones containing the destination IP addresses (step 964 ). Then, program function 160 color codes the source IP address entries and destination IP address entries accordingly, i.e. blue, green, yellow and red (step 965 ). Then, program function 160 reads the misconfiguration database 730 to determine which of the rules represent a misconfiguration (step 967 ). Then, program function 160 assigns a severity level to each misconfiguration based on a severity table, and color codes the protocol entry according to the severity level, i.e. red, yellow or green (step 968 ). Finally, program function 160 displays the misconfiguration table on display screen 49 (step 970 ). If requested, program function 160 will also printout the information in the misconfiguration table (step 972 ).
  • step 982 program function 160 reads the actual improper settings database 830 to determine the actual improper settings within the firewall (step 982 ). For each improper setting, program function 160 begins to build an improper settings table indicating a description of the actual improper setting (step 984 ). Then, program function 160 reads the improper settings database 810 to determine a severity level of each improper actual setting (step 986 ). Then, program function 160 color codes the entry in the improper settings table according to the severity level, i.e. red, yellow or green (step 988 ). Finally, program function 160 displays the improper settings table on display screen 49 (step 990 ). If requested, program function 160 will also printout the information in the improper settings table (step 992 ).
  • FIG. 14 illustrates an example of a printout of vulnerability findings for firewall 21 , and includes for each vulnerable flow, the security rating for the vulnerability, the number of the rule that causes the vulnerability, the source IP address and destination IP address of the vulnerable flow, the network port and protocol of the vulnerable flow, and the recommendation to mitigate the vulnerability.
  • FIG. 14 illustrates an example of a printout of vulnerability findings for firewall 21 , and includes for each vulnerable flow, the security rating for the vulnerability, the number of the rule that causes the vulnerability, the source IP address and destination IP address of the vulnerable flow, the network port and protocol of the vulnerable flow, and the recommendation to mitigate the vulnerability.
  • FIG. 15 illustrates an example of a printout of misconfiguration findings for firewall 21 , and includes for each misconfigured rule, the security rating for the misconfiguration, the number of the rule that causes the misconfiguration, the source IP address and destination IP address of the misconfigured flow, the network port and protocol of the misconfigured flow, whether the flow is permitted, and a description of the misconfiguration including where appropriate a recommendation to mitigate the misconfiguration.
  • FIG. 16 illustrates an example of a printout of improper settings of firewall 21 , and includes for each improper setting, the security rating for the improper setting, a description of the setting, an explanation of the problem caused by the setting, and a recommendation to correct the setting.
  • FIGS. 3 - 9 (A) and 9 (B) can be repeated for firewall 22 .
  • the foregoing process can be repeated for routers or other stateless and/or stateful inspection devices.
  • the foregoing process can be repeated for a set of firewalls to represent holistically, the enterprise wide firewall data flow and vulnerability status. Therefore, the present invention has been disclosed by way of illustration and not limitation, and reference should be made to the following claims to determine the scope of the present invention.

Abstract

A graphical representation of the firewall and a network coupled to the firewall is generated and displayed. A number of an inbound port of the network is displayed. An arrow adjacent to the port number pointing toward the network is displayed to indicate that a communication is permitted to the port. The port number and the arrow are located between an icon for the network and an icon for the firewall. A port number of a destination of a communication originating from the network is displayed. Also, another arrow adjacent to the destination port number pointing toward the firewall is displayed to indicate that a communication is permitted to the destination port number. The destination port number and the other arrow are located between an icon for the network and an icon for the firewall. A table including definitions of a plurality of rules is generated and displayed. Each of the definitions includes entries for a source IP address and destination IP address of a permitted but vulnerable data flow. The source IP address and destination IP address entries are color coded to indicate security levels of respective source and destination networks. Another table includes definitions of a misconfigured data flow, and entries for a source IP address and destination IP address of the misconfigured data flow. The source IP address and destination IP address are color coded to indicate security levels of respective source network and destination network.

Description

    BACKGROUND OF THE INVENTION
  • The invention relates generally to computer networks, and deals more particularly with a technique to graphically present data flows, vulnerabilities and misconfigurations in a firewall.
  • To provide security, there are separate networks with security controls between each network. This enables an enterprise network to house confidential data separately from publicly available data, to separate financial networks from service networks, etc. All of these design considerations provide confidentiality, integrity and availability. Because external entities are not under complete control of the enterprise and are open to unknown users who may not be trusted, these networks are not considered trusted. Typically, an enterprise intranet is considered known and trusted because it houses internal communications within the enterprise. While this intranet communicates with an external network environment either to transmit or receive data communications, the intranet generally will not need to receive inbound communications directly from an untrusted networks. An extranet comprises known but untrusted network environments, such as “Demilitarized Zones (“DMZ”),” “Service networks” and “Business to Business (B2B) interconnections.” These networks are semi-secure because the owners and users are generally known but not trusted. There are also external unknown and untrusted networks such as the Open Internet. These are the riskiest types of networks with which to communicate.
  • The security controls between networks is often provided by a firewall. A firewall is a network device that can protect a variety of networks by inspecting, filtering and blocking data which flows to and through the network. The firewall can be installed between known and trusted networks, known and untrusted networks, and unknown and untrusted networks. A firewall is comprised of a routing engine and filters to screen out unwanted data communications. The firewall is responsible for enforcing a security policy for incoming and outgoing communications. The security policy may define the types of networks the known network is permitted to communicate and what protocols are permitted for the communications. For example, the firewall may only permit communications between the intranet and the enterprise's “DMZ”, which is located between a trusted internal and untrusted and unknown external network. An enterprise's DMZ is comprised of servers and other related devices that are supplied and managed by the enterprise, but generally do not contain unencrytped sensitive data. Therefore, if the servers in the enterprise's DMZ are corrupted by a communication from another, untrusted network, the damage is limited. Because the management of these DMZ servers is performed by the enterprise itself, a measure of security exists in the enterprise DMZ which does not exist in the Open Internet. There are cases when a network does not have a firewall in which case it connects directly to other networks through a router.
  • Not only can a firewall deny traffic to and from networks, it can more granularly limit traffic between networks by limiting which hosts have access to communicate to or from network entities. These hosts are considered sophisticated enough to avoid receipt of damaging messages. These hosts are listed in a firewall ruleset. The firewall checks the ruleset for host identifiers (ex. IP Address or hostname) before permitting the communications. Audits of these rulesets are necessary to understand which hosts have outbound connectivity and determine if any of the rules violate a pre-specified corporate security mandate.
  • A third way a firewall can limit traffic between networks is by communication protocols and ports. The most common communication protocols are TCP, UDP and ICMP. Each of these protocols includes usage criteria such as the range of ports used by TCP and UDP for certain types of requests. The TCP and UDP ports indicate which applications in the recipient device should provide the requested services. It is desirable in some cases to limit the range of ports for certain types of communications. The limitation on the range of ports facilitates the handling of the requested service. For example, many programs are written to open any available TCP or UDP port. This makes the identification of the application using such a port difficult. In some such cases it is possible to restrict the range of ports available to these applications to assist in identifying which application is using the port. It may be preferable for some networks to not allow communication using an application requiring an unlimited range of TCP or UDP ports.
  • The protocols also may specify the types of ICMP which are permitted. Example types are Echo Request (which sends a ping), Echo Reply (which responds to a ping) and Host Unreachable. Some networks may not wish to accept certain types of ICMP messages. For example, some destination networks deny Echo Request messages from untrusted networks because they are potential denial of service attacks.
  • Some protocols are more controllable than others. For example, TCP provides “handshaking” for every communication whereas UDP does not. So, TCP is more controllable and trustworthy than UDP. Therefore, some networks may not want to accept UDP communications. It was known for an administrator to check whether the firewall permits incoming UDP communications, and if so, report a security violation. These checks were performed by reviewing the firewall access control lists or by sniffing traffic.
  • The security policy of a firewall also may prohibit certain message flows, such as those involving certain versions of Telnet and the Berkely R commands (rshell, rlogin) because these protocols have known security holes. It was known for a systems administrator to check if the firewall permits such message flows, and if so, report a security violation. These checks were performed by reviewing the firewall access control lists or by sniffing traffic.
  • The vast configurability of firewall rules equates to very complex rulesets with significant potential for mistakes. Filter rules should be verified regularly to ensure they conform to the enterprise security policy, are configured properly and function as intended. Traditionally, this is completed manually by a systems administrator or a person outside of the day-to-day operations of the firewall such as a security administrator. The systems administrator or security administrator reviews each firewall rule to confirm the network type of each IP address and ensure that the data flows configured in the firewall are acceptable according to the enterprise security policy. While this technique is effective, it requires tedious, human review of the configuration information from each network with which communication is desired, and there can be many such networks. Routers and firewalls of networks are often changed, and this may require the systems administrator or security administrator to repeat the foregoing investigation.
  • A Solsoft computer program (by Solsoft Inc.) was known to display a diagram of networks connected to each other, and firewalls within the networks. This program includes an option to color code each of the networks. This option was commercially used (more than one year ago) to color code each network based on the security level of the network. This known color coding was blue for a most secure intranet, green for protected DMZ or Service network, yellow for a DMZ or Service network and red for an insecure network such as the Open Internet.
  • EP 1119151A2 to Alain et al. disclose a computer program which displays a graphical representation of a network; the data flows of the network can be determined through a series of queries.
  • An object of the present invention is to improve the process of reporting data flows, data flow vulnerabilities, data flow misconfigurations and improper firewall settings.
    • SUMMARY OF THE INVENTION
  • The invention resides in a system, method and computer program product for reporting a data flow in a firewall. A graphical representation of the firewall and a network coupled to the firewall is generated and displayed. A number of an inbound port of the network is displayed. An arrow adjacent to the port number pointing toward the network is displayed to indicate that a communication is permitted to the port.
  • According to a feature of the present invention, the port number and the arrow are located between an icon for the network and an icon for the firewall.
  • According to another feature of the present invention, a port number of a destination of a communication originating from the network is displayed. Also, another arrow adjacent to the destination port number pointing toward the firewall is displayed to indicate that a communication is permitted to the destination port number. The destination port number and the other arrow are located between an icon for the network and an icon for the firewall.
  • The invention also resides in a system, method and program product for reporting data flow vulnerabilities in a firewall. A table including definitions of a plurality of rules is generated and displayed. Each of the definitions includes an entry for a source IP address of a permitted but vulnerable data flow, an entry for a destination IP address of the permitted but vulnerable data flow, and an entry for a protocol or destination port of the permitted but vulnerable data flow. The source IP address entry in the table is color coded to indicate a security level of a source network containing the source IP address. The destination IP address entry in the displayed table is color coded to indicate a security level of a destination network containing the destination IP address.
  • According to a feature of the present invention, the definition for each of the rules includes both the entry for the protocol and the entry for the destination port. The entry for the protocol and/or the entry for the destination port is color coded to indicate a severity of the vulnerability.
  • According to another feature of the present invention, the table also includes other definitions of another plurality of rules. Each of the other definitions including an entry for a source IP address of a vulnerable, denied data flow, an entry for a destination address of the vulnerable, denied data flow, and an entry for a protocol or destination port of the vulnerable, denied data flow. The source IP address entry in the table is color coded to indicate a security level of a source network containing the source IP address of the vulnerable, denied data flow. The destination IP address entry in the table is color coded to indicate a security level of a destination network containing the destination IP address of the vulnerable, denied data flow.
  • The invention also resides in a system, method and computer program product for reporting data flow misconfigurations in a firewall. A table including definitions of a plurality of rules is generated and displayed. Each of the definitions includes an entry for a source IP address of a permitted but misconfigured data flow, an entry for a destination IP address of the permitted but misconfigured data flow, and an entry for a protocol or destination port of the permitted but misconfigured data flow. The source IP address entry in the table is color coded to indicate a security level of a source network containing the source IP address. The destination IP address entry in the table is color coded to indicate a security level of a destination network containing the destination IP address.
  • According to a feature of the present invention, the definition for each of the rules includes both the entry for the protocol and the entry for said destination port. The entry for the protocol or the entry for the port is color coded to indicate a severity of the misconfiguration.
  • The invention also resides in a system, method and computer program product for reporting improper settings in a firewall. A table including descriptions and security-risk severity ratings of a respective plurality of settings of the firewall is generated and displayed. Some or all of the settings are improper. The security-risk ratings or descriptions of the improper settings are color coded to indicate respective security-risk severities of the improper settings.
    • BRIEF DESCRIPTION OF THE FIGURES
  • FIG. 1 is a block diagram of multiple, interconnected networks in which the present invention can be used, and includes a firewall security checking server to execute a security checking program according to the present invention.
  • FIG. 2 is a more detailed block diagram of FIG. 1 illustrating the specific program functions within the security checking program.
  • FIG. 3 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to gather information about the data flow configuration of firewall.
  • FIG. 4 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to determine information about zones interconnected by the firewall, and the interfaces for each zone.
  • FIG. 5 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to determine data flows through each interface of the firewall.
  • FIG. 6 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to determine vulnerabilities in the data flows through the firewall.
  • FIG. 7 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to determine misconfigurations in the data flows through the firewall.
  • FIG. 8 is a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to determine improper settings (other than data flows) of firewall.
  • FIGS. 9(A) and 9(B) form a flow chart illustrating the steps of a program function within the security checking program of FIG. 1 to display a network diagram, vulnerabilities and misconfigurations in the data flows through the firewall, and improper settings on the firewall itself.
  • FIG. 10 is an example of a network diagram generated by the program function of FIGS. 9(A) and 9(B).
  • FIG. 11 is an example of a vulnerability table generated and displayed by the program function of FIGS. 9(A) and 9(B).
  • FIG. 12 is an example of a misconfiguration table generated and displayed by the program function of FIGS. 9(A) and 9(B).
  • FIG. 13 is an example of an improper settings table generated and displayed by the program function of FIGS. 9(A) and 9(B).
  • FIG. 14 is an example of a printout of vulnerability findings for firewall 21, by the program function of FIGS. 9(A) and 9(B).
  • FIG. 15 is an example of a printout of misconfiguration findings for firewall 21, by the program function of FIGS. 9(A) and 9(B).
  • FIG. 16 is an example of a printout of improper settings of firewall 21, by the program function of FIGS. 9(A) and 9B).
    • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • The present invention will now be described in detail with reference to the figures. FIG. 1 illustrates four networks 11-14. Network 13 has a firewall 21 which filters communications between network 13 and networks 11 and 12. There may be routers (not shown) within networks 11, 12 and 13. By way of example, network 13 is a secure, (“Blue”) enterprise intranet, network 12 is a semi-secure (“Yellow”) DMZ, and network 11 is semi-trusted (“Green”) network (from the point of view of network 13). By way of example, network 14 is an untrusted network such as the Open Internet, and is coupled to DMZ network 12 via another firewall 22 of DMZ network 12. However, the present invention can be used with a wide variety of networks. Network 13 comprises a firewall management computer 50 which manages firewall 21. The management functions include authorization, logging, and remote administration. Network 13 also comprises a firewall security checking server 51 which is responsible for checking the security policy within firewall 21 and reporting any vulnerabilities, misconfigurations and problems in settings. (Alternately, firewall security checking server 51 could exist on a standalone network.) Network 13 also comprises one or more servers 29 and workstations (not shown). Network 11 comprises one or more servers 31 which can communicate with server 29 via firewall 21. Likewise, network 12 comprises one or more servers 32 which can communicate with server 29 via firewall 21. Network 14 comprises one or more servers 34 which can communicate with servers 32 via firewall 22.
  • FIG. 2 illustrates a firewall security checking program 100 within firewall security checking server 51. Security checking program 100 identifies all data flows and highlights vulnerable and misconfigured data flows and improper firewall settings permitted by firewall 21, and then displays them as described below. Security checking program 100 includes the following program functions or modules. A program function 110 gathers configuration information about firewall 21 needed to determine the data flows, vulnerabilities and misconfigurations. A program function 112 gathers firewall interface and zone/network information for each firewall, such as which types of networks connect to firewall 21. The interface and zone information is needed to correlate a set of data flow rules to the proper firewall interface and adjacent zone/network. In the illustrated example, the different types of networks include a “Blue” zone such as the enterprise intranet, a “Green” zone such as a network accessible only to semi-trusted entities such as business partners, a “Yellow” zone such as a DMZ for an intranet, and a “Red” zone such as the Internet. A program function 120 checks data flow rules for each interface, such as what protocols and ports should be permitted to/through the interface. A program function 130 determines vulnerabilities in data flows such as use of vulnerable communication programs, protocols and ports. A program function 140 determines misconfigurations in data flows such as when the firewall permits two contradictory rules. A program function 150 determines errors in settings within the firewall unrelated to data flow rules, such as settings for an SNMP function (for notification and management of events) and administration of the firewall 21. A program function 160 controls a computer display to graphically present the data flows, vulnerabilities and misconfigurations in a manner which effectively shows the data flows, vulnerabilities and misconfigurations to the user.
  • As illustrated in FIG. 3, program function 110 requests and gathers configuration information about the firewall 21 needed to determine data flows, vulnerabilities and misconfigurations within firewall 21. The configuration information comprises a set of firewall data flow rules, firewall settings, authentication methods and information about the security level of each zone/network connected to the firewall. For example, a Cisco Pix firewall specifies a security level of an adjacent zone by a number 0-100 where “0” is the lowest security, i.e. the (red) Internet, and “100” is the highest security, i.e. the (blue) intranet. Because the green zone has a higher security representation than the yellow zone, it would accordingly be represented by a higher number. The firewall “rules” specify which data flows are permitted and not permitted (a) into the firewall, (b) out of the firewall and (c) through the firewall, i.e. from one firewall interface to another firewall interface. A “data flow” may be defined by a source IP address, destination IP address, IP protocol and port number of a communication. The firewall “interfaces” indicate a physical connection to a network and therefore define the networks which are serviced by the firewall. Program function 110 obtains the configuration information by request (for example by secure shell or e-mail from an administrator) directly from configuration files within firewall 21, or by request from firewall management console 50 (step 302). After gathering the information, program function 110 stores the configuration information as a configuration table or file 304 in storage 305 (step 306).
  • As illustrated in FIG. 4, program function 112 gathers zone/network information needed to determine data flows, vulnerabilities and misconfigurations within firewall 21. In step 402, program function 112 reads from storage 305, the configuration file 304 generated by program function 110. Then, program function 112 parses the file 304 to identify the firewall 21 interfaces (steps 402 and 404). Then, program function 112 determines if the configuration file 304 contains other network information, such as the range of IP addresses for each network, the IP address of each device in the network, and description of routing to networks not directly connected to firewall 21 (step 406). If configuration file 304 does not contain all of this network information, then program function 112 queries the user to input the missing network information (step 408). If the configuration file 304 contains all of this network information or after the user enters the missing network information, program function 112 determines if the configuration file 304 indicates a numerical security level of each zone (decision 410). If not, then program function 112 queries the user to input the numerical security level of each zone, preferably the numerical value on a scale of one to one hundred; similar to security rankings used by the Cisco PIX firewall (step 412). If the configuration file contains the security level information of each zone, or after the user enters the zone security level information, program function 112 “collates” the zone information, i.e. associates with each firewall interface the security levels of each zone or remote network. Then, program function 112 writes the collated zone information to a zone table 404 in storage 305 (step 414).
  • As noted above, program function 120 analyses data flow rules for each interface. Program function 120 operates as follows. In step 502, the data flow checking program function 120 reads the firewall interface and zone information from the zone table 404. Program function 120 also reads data flow rules from the configuration file 304. Then, program function 120 selects one of the firewall interfaces to begin a data flow rule checking to correlate to each interface, the rules that apply to the interface (step 506). Assuming there is still an interface yet to be analyzed for firewall 21 (decision 508, no branch), program function 120 reads the first rule (step 510), and determines if it is associated with the interface currently being evaluated (decision 512). This determination is made by evaluating IP addresses or access list names. If the rule is associated with the interface currently being evaluated (decision 512, yes branch), program function 120 writes the rule to a data flow checking table 514 (step 526). However, if the rule is not so associated or after step 516, program function 120 determines if this is the last rule in the ruleset to consider (decision 520). If not (decision 520, no branch), then program function 120 loops back to step 510 to select the next rule in the ruleset and determine whether it is associated with the interface currently being evaluated. Steps 510, 512, 516 and 520 are repeated for each rule in the ruleset. Then, (decision 520, yes branch), program function 120 determines from data flow checking table 514 if any rules from the ruleset were found to be associated with the current interface being evaluated (decision 524). If not, program function 120 writes default behavior to the data flow checking table 514 for this interface (step 526). The default behavior comprises logic of the specific firewall type, for example, how it handles null rulesets. After decision 524, yes branch, where there was at least one rule from the ruleset found to be associated with the current interface or after step 526, program function 120 loops back to step 506 to repeat the foregoing steps 508, 510, 512, 516, 520, 524 and 526 for the next interface of firewall 21.
  • Refer again to decision 508, yes branch, where program function 120 has evaluated the last interface for firewall 21. At that time, program function 120 determines if any rules in the ruleset have not been found to be associated with an interface of firewall 21 (decision 530). If so, program function 130 writes default behavior to data flow checking table 514 (step 532). The default behavior comprises logic of the specific firewall type, for example, how it handles rules that have not been associated with an interface. However, if program function 120 has found all of the rules of the ruleset to be associated with an interface of firewall 21 (or after step 532), then program function 120 has completed its checking, and proceeds to step 602 to invoke program function 130.
  • FIG. 6 illustrates program function 130 in detail. As noted above, program function 130 determines data flow vulnerabilities such as use of vulnerable communication programs, protocols and ports for certain firewall interfaces and their respective zones. A vulnerability database 603 in storage 305 is maintained with current information. The vulnerability database 603 lists known data flow vulnerabilities based on type of service, protocol, port number, respective zones, and other factors. Some examples of data flow vulnerabilities are the following:
      • a communication using FTP because userID and password flow in the clear, i.e. unencrypted,
      • an unauthenticated communication permitted from a lower security zone to a higher security zone,
      • a permitted communication using inherently risky remote access commands, such as RSHELL, RLOGIN, RHOST,
      • a rule allowing more ports than are required by the communication,
      • a communication commonly implemented by a vulnerable software product,
      • a communication using Telnet rather than its more secure equivalent (SSH),
      • a communication permitted into a UDP printer port,
      • a communication permitting inherently risky services, such as netbios, DNS, SMTP,
      • a communication permitting all ICMP types, and
      • a communication permitted from a more secure zone to a less secure zone without control by a ruleset to limit who can initiate such a communication.
        In step 602, program function 130 reads the contents of data flow checking table 514 which correlates each rule in the ruleset for firewall 21 to the respective interface of firewall 21. Then, program function 130 compares the first rule in 514 to the list of vulnerabilities in the vulnerability database 603 (step 604). If the first one of the rules matches one or more of the vulnerabilities in the vulnerability database 603 (decision 606, yes branch), then program function 130 writes the combination of interface/zone and rule into a “found-vulnerability” database 610 (step 608). However, if the first rule does not match any of the vulnerabilities in vulnerability data base 603 (decision 606, no branch, or after step 608), program function 130 determines if this is the last rule in data flow checking table 514 to be considered (decision 630). If not, then program function 130 loops back to step 604 to repeat steps 604, 606, 608 and 630 for the next rule. After all the rules in data flow checking table 514 have been compared to the vulnerability database 603 (decision 630, yes branch), then program function 130 proceeds to step 702 to invoke program function 140.
  • FIG. 7 illustrates program function 140 in detail. As explained above, program function 140 determines data flow misconfigurations such as when two or more firewall rules contradict each other, two or more firewall rules are redundant of each other or when a firewall rule specifies a source zone or destination zone that is not consistent with the interfaces of the firewall. In step 702, program function 140 reads the contents of data flow checking table 514 which contains each rule in the ruleset for firewall 21. Next, program function 140 analyses a first data flow rule in 514 for “interface/zone” consistency, i.e. consistency with its interface and respective zones (step 704). For example, if an inbound data flow rule specifies a source IP address, firewall interface and destination IP address, program function 140 checks if the source IP address is in the source zone for the specified interface. Also, for outbound rules, program function 140 checks if the destination IP address is in the destination zone for the specified interface. As another example of processing in step 704, program function 140 checks if the source IP address and destination IP address are in the same network. As another example of processing in step 704, program function 140 checks if there are any data flows terminating at the firewall itself. Next, program function 140 checks the first one of the data flow rules for “rule” redundancy, i.e. redundancy with another data flow rule considered in a previous iteration of program function 140 (step 706). A redundancy exists when two rules permit the same data flow. This check is made by comparing each rule against each other rule. Next, program function 140 checks the first data flow rule for “rule” contradiction, i.e. contradiction with a previous one of the data flow rules considered in a previous iteration of program function 140 (step 708). A contradiction exists where one rule permits a certain data flow and another rule denies this same data flow. This check is made by comparing each rule against each other rule. Next, program function 140 compares the first data flow rule in table 514 for any other type of misconfiguration such as “superset” redundancy where one rule encompasses another rule, making it unnecessary to include this other rule in the rule set (step 710). As another example of processing in step 710, program function 140 checks if the source IP address is not reachable from the source zone of any firewall interface, making it impossible for this rule to apply. As another example of processing in step 710, program function 140 checks if the destination IP address is not reachable through a destination zone for any interface of the firewall, making it impossible for this rule to apply. These other types of potential misconfigurations are listed in the misconfiguration database 703.
  • For each zone inconsistency, rule redundancy, rule contradiction, or other type of misconfiguration (decision 720, yes branch), program function 140 writes the rule into a misconfiguration table 730 (step 732). If the current rule has no zone inconsistency, rule redundancy, rule contradiction, or other type of misconfiguration or after step 732, program function 140 loops back to step 704 to evaluate the next rule in data flow checking table 514 (decision 740, no branch), i.e. repeats the foregoing steps 704, 706, 708, 710, 720, 732 and 740. After all the rules have been evaluated (decision 740, yes branch), then program function 140 has completed its evaluation, and proceeds to step 802 to invoke program function 150.
  • FIG. 8 illustrates program function 150 in detail. As explained above, program function 150 determines errors in other firewall settings unrelated to data flow rules, such as settings related to an SNMP function (for notification and management of events) and administration of the firewall 21. For example, program function 150 determines usage of improper keys in SNMP, absence of default keys for SNMP, and improper length to SNMP password strings (to access files within the firewall). Program function 150 also determines whether there is proper specification of what information should be logged, whether banners indicating that the network is secure should be displayed, and whether the administrator must authenticate himself or herself to an authentication server before obtaining access to the firewall. Then program function 150 compares this information for the first setting to a list of improper settings maintained in findings database 810 (step 804). These improper settings were previously entered into database 810. If the actual setting matches an improper setting (decision 806, yes branch), then program function 150 writes the improper actual setting into an improper actual setting database 830 (step 832). If the first one of the settings was proper (decision 806 yes branch) or after step 832, if there is another actual setting to evaluate (decision 836, no branch), program function 150 loops back to step 804 to review the next actual setting, as described above. After all the actual settings have been evaluated, program function 150 has completed its evaluation, so it invokes program function 160 at step 902.
  • FIGS. 9(A) and 9(B) illustrate program function 160 in detail. As explained above, program function 160 controls a computer display to graphically present the data flows, vulnerabilities and misconfigurations in a manner which effectively shows the vulnerabilities and misconfigurations to the user. In step 902, program function presents to a user four different options for display.
  • The first option (leading to branch 905) is to display a network diagram illustrating the various firewalls, interfaces and networks/zones with the type of each network/zone indicated by blue, green, yellow or red coloration or other representative color coding of a network icon. In the illustrated example, each network icon is a “cloud”. The network diagram also indicates for each interface, adjacent to the interface, a list of the permitted (or “active”) port types, port numbers and by arrow, the direction of the permitted communication through each port. The network diagram also indicates for each firewall, the total number of problematic rules of each type, i.e. data flow vulnerabilities, data flow misconfigurations and improper settings. FIG. 10 illustrates an example of a network diagram corresponding to a portion of the computer system of FIG. 1, from the vantage point of firewall 21, i.e. firewall 21 and the networks 11, 12 and 13 connected to firewall 21.
  • In the example of FIG. 10, the three networks or “zones” 11, 12, and 13 connected to the firewall 21 are color-coded according to their security levels. (FIG. 10 is shown in black and white pursuant to USPTO rules, although in actuality, the network icons, flow arrows and certain port numbers are colored to provide associated information.) Thus, the network icon for blue network 13 is colored blue, the network icon for yellow network 12 is colored yellow, and the network icon for green network 11 is colored green. Each network icon is labeled with its network, network address translation (“NAT”) information (if any), and its numerical security level. In the illustrated example, blue zone network 13 is a secure company intranet, green zone network 11 is a trusted network, red zone network 21 is an untrusted network such as the Internet, and yellow zone network 12 is a DMZ network separating the blue zone network from the untrusted, red zone Internet. As a default, when a user does not supply color information for each type of network, the color coding will correspond to a reverse rainbow, with blue being the most secure network, and red the most insecure (typically the Internet). By way of example, the blue zone network 13 has security level of one hundred, the green zone network 11 has security level of seventy, and the yellow zone network 12 has security level of fifty. The higher the security level, the more secure the network.
  • FIG. 10 also illustrates a summary pie chart 1035 labeled with the total number of data flow vulnerabilities, data flow misconfigurations, and improper firewall settings for firewall 21. Each section of the pie is labeled with the total number of findings of the corresponding type. If the user selects any of the pie sections, for example, by clicking with a mouse button, the corresponding table (see FIGS. 11-13) will be displayed. For example, if the section labeled “Firewall Settings Four” is clicked, then a firewall settings table would be displayed such as the one illustrated in FIG. 13. In this example, the displayed firewall settings table has four improper firewall setting entries in all.
  • FIG. 10 also illustrates two sets of port numbers adjacent to each network; one set specifies the inbound ports used by this network to receive a communication from other networks, and the other set specifies the destination ports specified in communications from this network to other networks. These ports are the ports of a network device which receives the communication, for example, a web server, a database server or a mail server. In operation, firewall 21 reviews the port specified in each communication sent to the firewall en route to the destination network, and filters that communication if specified in the associated firewall rule. In the illustrated example, network 13 uses port numbers 22, 23, 25 and 123 to receive communications from other networks, and sends communications to port numbers 23, 80 and 443 of other networks. Network 12 uses port number 23 to receive communications, and sends communications to port numbers 22, 25, 80 and 123 of other networks. Network 11 uses port numbers 23, 25, 80 and 443 to receive communications, and sends communications to port numbers 23 and 123 of other networks. The port numbers on each port list are color-coded according to the severity of the associated vulnerability finding made by program function 130. A black number has no associated vulnerability. A green number is a low vulnerability, a yellow number is medium vulnerability, and a red number is high vulnerability. The same port number may have different vulnerability ratings depending on the direction of flow, host-to-host limitation, or other factors. For example, allowing an ntp communication from any host in one zone to any host in a higher-security zone is typically more dangerous (and therefore rated as a higher vulnerability) than allowing the NTP communication from one designated ntp server in a high-security zone to a few specific other hosts in a lower-security zone. The following is the color code in the illustrated example. Inbound port 22 of network 13 is color coded green to represent a low severity level of vulnerability. Inbound port 123 and destination port 23 of network 13 are color coded yellow to represent an intermediate severity level of vulnerability. Inbound ports 23 and 25 of network 13 are color coded red to represent a high severity level of vulnerability. Destination ports 22 and 123 of network 12 are color coded green to represent a low severity level of vulnerability. Inbound port 23 and destination port 25 of network 12 are color coded red to represent a high severity level of vulnerability. Inbound port 23 and destination port 123 of network 11 are color coded yellow to represent an intermediate severity level of vulnerability. Inbound port 25 and destination port 23 of network 11 are color coded red to represent a high severity level of vulnerability.
  • FIG. 10 also illustrates by arrows the data flows/communications between zones. For each zone 11, 12 and 13, colored arrows represent flows into and flows out of the zone, for the corresponding sets of ports shown at the source of the arrow. The color of a flow arrow corresponds to the security of the zone which is sending the communication in the case of an inbound communication (the arrows point towards the respective network clouds), and corresponds to the security of the zone which is receiving the communication in the case of an outbound communication (the arrows point towards the firewall). In the illustrated embodiment, the ports listed next to each set of color-coded flow arrows of the same direction include all flows in that direction. Thus, if a communication is flowing to the blue zone 13 from any other zone, the port associated with that communication will be listed in the inbound port list for the blue zone 13 at the source of the incoming flow arrows. For example, if SSH (TCP port 22) is allowed from yellow to blue, then the SSH port number will appear in the list of inbound ports next to the flow arrows for the blue zone 13, even when SSH is not permitted to flow from the green zone to the blue zone. The following are specific examples of the arrows in FIG. 10. A yellow arrow 1011 pointing toward the blue zone network 13 represents all flows originating in the yellow zone network 12 and sent to one or more of ports 22, 23, 25 and 123 of the blue zone network 13. A green arrow 1013 pointing towards the blue zone network 13 represents all flows originating in the green zone network 11 and sent to one or more of ports 22, 23, 25 and 123 of the blue zone network 13. A green arrow 1027 pointing away from blue zone network 13 represents all flows originating in the blue zone network 13 and sent to one or more of ports 23, 80 and 443 of the green zone network 11. A yellow arrow 1025 pointing away from blue zone network 13 represents all flows originating in the blue zone network 13 and sent to one or more of ports 23, 80 and 443 of the yellow zone network 12. A green arrow 1015 pointing toward the yellow zone network 12 represents all flows originating in the green zone network 11 and sent to port 23 of the yellow zone network 12. A blue arrow 1017 pointing toward the yellow zone network 12 represents all flows originating in the blue zone network 13 and sent to port 23 of the yellow zone network 13. A green arrow 1019 pointing away from the yellow zone network 12 represents all flows originating in the yellow zone network 12 and sent to one or more of ports 22, 25, 80 and 123 of the green zone network 11. A blue arrow 1021 pointing away from the yellow zone network 12 represents all flows originating in the yellow zone network 12 and sent to one or more of ports 22, 25, 80 and 123 of the blue zone network 13. A yellow arrow 1029 pointing toward the green zone network 11 represents all flows originating in the yellow zone network 12 and sent to one or more of ports 23, 25, 80 and 443 of the green zone network 21. A blue arrow 1031 pointing toward the green zone network 11 represents all flows originating in the blue zone network 13 and sent to one or more of ports 23, 25, 80 and 443 of the green zone network 11. A yellow arrow 1033 pointing away from green zone network 11 represents all flows originating in the green zone network 11 and sent to one or more of ports 23 and 123 of the yellow zone network 12. A blue arrow 1023 pointing away from green zone network 11 represents all flows originating in the green zone network 11 and sent to one or more of ports 23 and 123 of the blue zone network 13. (In an alternate embodiment of the present invention, for each arrow into each zone/network there is a separate list of ports, shown at the source of the arrow, used for the communication represented by the arrow.)
  • To see a list of the ports/services used from one specific zone to another, for example only ports/services flowing from the yellow zone 12 to the blue zone 13, the user can scroll over the respective colored arrow(s), in this example, arrow 1011. As the mouse passes over the arrow, a box will pop up with a list of only the ports/services flowing between the two zones represented by the arrow.
  • In order to examine the security findings for flows between two zones in more detail, the user may click on a flow arrow. A window, such as pop up window 1101, will pop up with a list of vulnerable ports/services and the vulnerability information corresponding to each flow. The vulnerability information for a flow includes a description of the finding, (such as shown in pop up window 1101), the relevant line number(s) from the configuration file 304, recommendations for the administrator, and other information. To access vulnerability information for one specific port/service, the user may click on a colored port number in any port list. A window will pop up containing the vulnerability information for that flow only. The vulnerability information for a specific port/service includes the same information described above.
  • Each security zone may have non-dataflow features that can be determined from the loaded configuration file 304. These features may include routing information, the location of logging and other special-purpose servers, etc. The basic network diagram does not display this information. However, if the user wishes to examine these additional features, the user may click on the network icon (cloud) to bring it into “focus.” When a network is in “focus”, all such additional information is graphically displayed. In the illustrated example, there is another firewall 22 between the yellow zone network 12 and the red zone network 14. If the IP addresses in the red zone 14 are reachable through the yellow zone 12, then there must be routing information for those red addresses in the configuration file 304 of the firewall 21 currently under examination. Therefore, the existence of the firewall 22 can be deduced from the configuration file 304 of the firewall 21. It will appear as a router on the sample network diagram (FIG. 10) when the yellow zone 12 is brought into focus. If different zones are brought into focus, different information will be revealed. If, for example, the blue zone 13 is brought into focus (not shown), the user will see a type of authentication server and its IP address attached to the blue zone 13.
  • Referring again to FIG. 9(A), the second option (branch 940) is to display a table which lists each of the rules in the ruleset for a specified firewall, and the rules which represent data flow vulnerabilities. FIG. 11 illustrates an example of a vulnerability table for firewall 21. (FIG. 11 is shown in black and white pursuant to USPTO rules, although in actuality, some of the entries as described below are colored to provide associated information.) The Rule Number column identifies the order in which the rules are processed by the firewall. For each of the rules there is an entry for (a) security rating, (b) rule number, (c) source IP address for the data flow, (d) destination IP address for the data flow, (e) IP protocol, (f) port and (g) rule action. For each rule, the entry for the source IP address is color coded indicating the type of source network/zone, for example, blue, green, yellow or red. (If the type of source network for the source IP address is not limited, then the entry for the source IP address is “any” and is not color coded to indicate all networks connected to the firewall.) In the example, the source IP addresses for rules 1, 2, 3, 10, 11 and 13 are color coded blue, the source IP addresses for rules 5, 9 and 12 are color coded yellow, and the source IP addresses for rules 6 and 14 are color coded green. Likewise, for each rule, the entry for the destination IP address is color coded indicating the type of destination network/zone, for example, blue, green, yellow or red. In the example, the destination IP addresses for rules 1, 2, 3, 9 and 12 are color coded blue, and the destination IP addresses for rules 4, 6, 7, 8, 10, 11, 13 and 14 are color coded yellow. For any of the rules for which program functions 130 has identified a vulnerability problem, the rule number is highlighted to indicate a hyperlink, the security rating entry is listed as high, medium or low and color coded red, yellow or green, respectively, to indicate the severity of the problem. In the example, rule numbers 4, 5, 9 and 12 are color coded blue, and have color coded security rating entries. The Protocol column refers to protocols within the IP suite. The most common IP suite protocols used are TCP, UDP and ICMP. The Rule Action column identifies if the communication flow is being allowed or denied.
  • Rules that have a vulnerability have a hyperlink that when clicked pops up a window that provides an explanation of the vulnerability. If the user selects any of these rule entries, for example, by clicking with a mouse button, program tool 160 displays additional information about the rule and a recommendation on how to fix a vulnerability problem, if any, associated with the rule. In the example of FIG. 11, the user has clicked on “Rule 5”, and in response, pop up window 1041 is displayed. The additional information comprises a description of vulnerability and mitigation recommendations. Examples of recommendations are as follows: remove rule, rewrite rule, upgrade patch level, use alternate protocol(s). The additional information about each type of problem and the recommendation of how to fix each type of problem were previously entered into a recommendations database 950.
  • Referring again to FIG. 9(A), the third option (branch 160) is to display a table which lists each of the rules in the ruleset for the firewall, and also indicates the rules which represent data flow misconfigurations. FIG. 12 illustrates an example of a misconfiguration table for firewall 21. (FIG. 11 is shown in black and white pursuant to USPTO rules, although in actuality, some of the entries as described below are colored to provide associated information.) The Rule Number column identifies the order in which the rules are processed by the firewall. For each of the rules there is an entry for (a) security rating, (b) rule number, (c) source IP address for the data flow, (d) destination IP address for the data flow, (e) IP protocol, (f) port and (g) rule action. The table displays the complete ruleset and identifies all rules that have been found to have rule inconsistencies, contradictions and redundancies. The Security Rating column gives a rating of each configuration issue identified. These ratings are based on what effect the rule has on the network. For any of the rules for which program function 140 has identified a data flow configuration problem, there is an “low”, “medium” or “high” entry for the security rating, and color coding of the security rating entry indicating the severity of the configuration problem, for example, green, yellow or red, respectively. The lower the security rating, the lesser the effect on the network caused by the misconfiguration. For any of the rules for which program function 140 has identified a data flow configuration problem, there is also highlighting of the respective rule number to indicate a hyperlink. In the example, rules 3, 7, 8, 10, 13 and 14 have been highlighted. Rules that have a misconfiguration have a hyperlink that when clicked pops up a window that provides an explanation of the misconfiguration. If the user selects any of these rule entries, for example, by clicking with a mouse button, program tool 160 displays additional information about the rule and a recommendation on how to fix the problem. In the example, the user has clicked rule 8, and in response, a pop up window 1051 has been displayed. The additional information comprises a description of the vulnerability and mitigation recommendations. Examples of recommendations are as follows: remove rule, rewrite rule, upgrade patch level, use alternate protocol(s). The additional information about each type of problem and the recommendation of how to fix each type of problem were previously entered into the recommendations database 950. The entries in the Source IP address(es) column and Destination IP Address(es) columns are color-coded based upon the type of their zone. The color red identifies an Internet (unknown and untrusted) network. The color yellow identifies an extranet (known but untrusted, i.e. semi-secure) network. The color green identifies a protected extranet (known and semi-trusted) network. The color blue identifies an intranet (known and trusted) network. In the example, the entries for the source IP addresses for rules 1, 2, 3, 8, 10, 11 and 13 are color coded blue, the entries for the source IP addresses 5, 7, 9 and 12 are color coded yellow, and the source IP addresses for the entries for rules 6 and 14 are color coded green. In the example, the entries for the destination IP addresses for rules 1, 2, 3, 9 and 12 are color coded blue, and the entries for the destination IP addresses 4, 6, 7, 8, 10, 11, 13 and 14 are color coded yellow. Thus, in this example, rules 7, 8, 10, 13, and 14 create inconsistencies, contradictions and redundancies between rules. However, because the rules create minimal effect, if one rule denies a host access, but a later rule allows the same host access, this would be considered a low security rating. Likewise, redundant rules would be considered a low severity level. In this example, rule 3 is considered a medium risk because it allows access to the firewall on TCP port 49. Firewall rules should never allow flows to the firewall with the exception of management communications. The Protocol column refers to protocols within the IP suite. The most common IP suite protocols used are TCP, UDP and ICMP. The Rule Action column identifies if the communication flow is being allowed or denied.
  • Referring again to FIG. 9(B), the fourth option (branch 980) is to display a table which lists each of the (nondataflow) settings for the firewall. FIG. 13 illustrates an example of a firewall settings table for firewall 21. The firewall settings table identifies the security rating of each firewall setting and whether the firewall setting is improper. The Security Rating column gives a rating of each setting which is identified. There are three types of security ratings, Low, Medium, and High. For any of the settings for which program functions 140 has identified as improper, there is a “high”, “medium” or “low” entry for the security rating, and color coding of the security rating entry indicating the severity of the problem, for example, red, yellow or green, respectively. These ratings are based on impact of and difficulty to exploit the setting. A typical low rating, color-coded in green, would have minimal impact on the firewall. In FIG. 13, the example firewall setting, “Outside interface security level 100, Inside interface security level 0,” is actually improper but has a low rating, assuming the rules associated with each interface are correct. This is because the rules govern the access through the interface. A typical medium setting, color-coded in yellow, would have moderate impact on the firewall. In FIG. 13, the example firewall setting, “SNMP community “SNMPkey,” is considered a medium setting because it would allow an attacker to easily guess the community string and gain SNMP access to the firewall. A typical high setting, color-coded in red, would have substantial impact on the firewall. In FIG. 13, the example firewall setting, “Logging buffered notifications,” is considered a high setting because the firewall logs are buffered on the firewall. When the buffer fills up, the buffer starts to write over older logs. Such overflow prevents a good history of events and an accurate record in case a computer forensics investigation is required.
  • Each rating has a hyperlink that when clicked pops up a window that provides an explanation of the configuration setting and recommendations. If the user selects any of the settings entries, for example, by clicking with a mouse button, program tool 160 displays additional information about the setting and a recommendation on how to fix the problem. In the example, the user has selected the upper entry, and in response, a pop up window 1061 has been displayed. The additional information comprises a description of the vulnerability and mitigation recommendations. Examples of recommendations are as follows: reconfigure SNMP to use private strings, use the authentication to access firewall management, and turn off unnecessary services. The additional information about each type of problem and the recommendation of how to fix each type of problem were previously entered into database 950. After presenting the options to the user in step 902, the user selects one of the options in step 904.
  • Referring again to FIG. 9(A), if the user selects the option to display the network diagram (branch 905), program function 160 reads the zone table 404 to determine which firewall(s) and their interfaces interconnect which networks/zones (step 906). Program function 160 has in storage, (a) a predetermined “cloud” icon to represent each network/zone, (b) a predetermined firewall icon to represent each firewall in the composite network, and (c) a predetermined connector line to connect each firewall to the networks/zones which it interconnects. From the zone table information and using the predefined icons and a graphical knowledge base to layout the cloud icons so they do not overlap one another and are adjacent to their respective interfaces, program function 160 generates the portion of the network diagram illustrating the interfaces and their respective networks/zones (step 910). Also from the zone table 404, program function 160 learns the security level of each zone, and then color codes the zone icon accordingly, i.e. blue, green, yellow or red (step 914). Next, program function 160 reads the data flow checking table 514 to determine the ports used for communication through each firewall to and from the respective networks/zones (step 915), and the direction of each data flow (step 916). Program function 160 uses this information to list the port numbers adjacent to the displayed firewall icons and generate arrows indicating the direction of the permitted communication through the ports (step 920). Next, program function 160 reads the data flow misconfiguration database 730 and found vulnerability database 610 and improper actual setting database 830 to determine the total number of findings (step 922). Then, program function 160 displays these numbers adjacent to the respective firewall (step 924) in the form of pie chart 1035. Finally, program function 160 displays the resulting network diagram on display screen 49 to the user (step 930).
  • Refer again to step 904 where the user selects a display option. If the user selects the option to display the data flow vulnerability table (branch 940), program function 160 reads the data flow checking table 514 to determine the data flows permitted through each interface (step 942). For each permitted data flow, the data flow checking table 514 indicates the source IP address, destination IP address, firewall interface, protocol, port, rule action and direction of data flow through the interface. Then, program function 160 begins to build the vulnerability table containing, for each data flow, the rule number, source IP address, destination IP address, and rule action (step 943). Then, program function 160 reads the zone table 404 to determine the security level of each of the networks/zones containing the source IP addresses and each of the networks/zones containing the destination IP addresses (step 944). Then, program function 160 color codes the source IP address entries and destination IP address entries accordingly, i.e. blue, green, yellow and red (step 946). Then, program function 160 reads from the configuration table the type of protocol and port number used for each of the data flows and adds the protocol and port number to the vulnerability table (step 948). Then, program function 160 reads the found-vulnerability database 610 to determine which of the rules pose a vulnerability (step 950). Then, program function 160 assigns to each vulnerable rule a severity level based on a severity table, and color codes the protocol entry according to the severity level, i.e. red, yellow or green (step 952). Finally, program function 160 displays the vulnerability table on display screen 49 (step 954). If requested, program function 160 will also printout the information in the vulnerability table (step 956).
  • Refer again to step 904 where the user selects a display option. If the user selects the option to display the misconfiguration table (branch 960), program function 160 reads the data flow checking 514 to determine the data flows permitted through each interface (step 962). For each permitted data flow, the data flow checking table 514 indicates the source IP address, destination IP address, firewall interface, protocol, port, rule action and direction of data flow through the interface. Then, program function 160 begins to build the misconfiguration table containing, for each data flow, the rule number, source IP address, destination IP address, protocol, port and rule action (step 963). Then, program function 160 reads the zone table 404 to determine the security level of each of the networks/zones containing the source IP addresses and each of the networks/zones containing the destination IP addresses (step 964). Then, program function 160 color codes the source IP address entries and destination IP address entries accordingly, i.e. blue, green, yellow and red (step 965). Then, program function 160 reads the misconfiguration database 730 to determine which of the rules represent a misconfiguration (step 967). Then, program function 160 assigns a severity level to each misconfiguration based on a severity table, and color codes the protocol entry according to the severity level, i.e. red, yellow or green (step 968). Finally, program function 160 displays the misconfiguration table on display screen 49 (step 970). If requested, program function 160 will also printout the information in the misconfiguration table (step 972).
  • Refer again to step 904 where the user selects a display option. If the user selects the option to display the firewall settings (branch 980), program function 160 reads the actual improper settings database 830 to determine the actual improper settings within the firewall (step 982). For each improper setting, program function 160 begins to build an improper settings table indicating a description of the actual improper setting (step 984). Then, program function 160 reads the improper settings database 810 to determine a severity level of each improper actual setting (step 986). Then, program function 160 color codes the entry in the improper settings table according to the severity level, i.e. red, yellow or green (step 988). Finally, program function 160 displays the improper settings table on display screen 49 (step 990). If requested, program function 160 will also printout the information in the improper settings table (step 992).
  • The form of each of the tables which is printed out in steps 956, 972 or 992 may differ from that which is displayed. If the printout is requested, program function 160 converts the reference table used for the display into the printout form, prints it out and displays the printout as well. FIG. 14 illustrates an example of a printout of vulnerability findings for firewall 21, and includes for each vulnerable flow, the security rating for the vulnerability, the number of the rule that causes the vulnerability, the source IP address and destination IP address of the vulnerable flow, the network port and protocol of the vulnerable flow, and the recommendation to mitigate the vulnerability. FIG. 15 illustrates an example of a printout of misconfiguration findings for firewall 21, and includes for each misconfigured rule, the security rating for the misconfiguration, the number of the rule that causes the misconfiguration, the source IP address and destination IP address of the misconfigured flow, the network port and protocol of the misconfigured flow, whether the flow is permitted, and a description of the misconfiguration including where appropriate a recommendation to mitigate the misconfiguration. FIG. 16 illustrates an example of a printout of improper settings of firewall 21, and includes for each improper setting, the security rating for the improper setting, a description of the setting, an explanation of the problem caused by the setting, and a recommendation to correct the setting.
  • Based on the foregoing, a system, method and program for identifying and displaying data flows, vulnerabilities, misconfigurations and improper settings have been disclosed. However, numerous modifications and substitutions can be made without deviating from the scope of the present invention. For example, the foregoing process of FIGS. 3-9(A) and 9(B) can be repeated for firewall 22. Also, the foregoing process can be repeated for routers or other stateless and/or stateful inspection devices. Also, the foregoing process can be repeated for a set of firewalls to represent holistically, the enterprise wide firewall data flow and vulnerability status. Therefore, the present invention has been disclosed by way of illustration and not limitation, and reference should be made to the following claims to determine the scope of the present invention.

Claims (29)

1. A method for reporting a data flow in a firewall, said method comprising:
generating and displaying a graphical representation of said firewall and a network coupled to said firewall;
displaying a number of an inbound port of said network; and
displaying an arrow adjacent to said port number pointing toward said network indicating that a communication is permitted to said port.
2. A method as set forth in claim 1 wherein said port number and said arrow are located between an icon for said network and an icon for said firewall.
3. A method as set forth in claim 1 further comprising:
displaying a port number of a destination of a communication originating from said network; and
displaying another arrow adjacent to the destination port number pointing toward said firewall indicating that a communication is permitted to said destination port number.
4. A method as set forth in claim 3 wherein said destination port number and said other arrow are located between an icon for said network and an icon for said firewall.
5. A method as set forth in claim 1 further comprising displaying on or adjacent to said firewall a number of vulnerability and/or misconfiguration problems with said firewall.
6. A system for reporting a data flow in a firewall, said system comprising:
means for displaying a graphical representation of said firewall and a network coupled to said firewall;
means for displaying a number of an inbound port of said network; and
means for displaying an arrow adjacent to said port number pointing toward said network indicating that a communication is permitted to said port.
7. A system as set forth in claim 6 wherein said port number and said arrow are located between an icon for said network and an icon for said firewall.
8. A system as set forth in claim 6 further comprising:
means for displaying a port number of a destination of a communication originating from said network; and
means for displaying another arrow adjacent to the destination port number pointing toward said firewall indicating that a communication is permitted to said destination port number.
9. A system as set forth in claim 8 wherein said destination port number and said other arrow are located between an icon for said network and an icon for said firewall.
10. A system as set forth in claim 6 further comprising means for displaying on or adjacent to said firewall a number of vulnerability and/or misconfiguration problems with said firewall.
11. A computer program product for reporting a data flow in a firewall, said computer program product comprising:
a computer readable medium;
first program instructions to display a graphical representation of said firewall and a network coupled to said firewall;
second program instructions to display a number of an inbound port of said network; and
third program instructions to display an arrow adjacent to said port number pointing toward said network indicating that a communication is permitted to said port; and wherein
said first, second and third program instructions are recorded on said medium.
12. A computer program product as set forth in claim 11 wherein said port number and said arrow are located between an icon for said network and an icon for said firewall.
13. A computer program product as set forth in claim 11 further comprising:
fourth program instructions to display a port number of a destination of a communication originating from said network; and
fifth program instructions to display another arrow adjacent to the destination port number pointing toward said firewall indicating that a communication is permitted to said destination port number; and wherein
said fourth and fifth program instructions are recorded on said medium.
14. A computer program product as set forth in claim 13 wherein said destination port number and said other arrow are located between an icon for said network and an icon for said firewall.
15. A computer program product as set forth in claim 111 further comprising fourth program instructions to display on or adjacent to said firewall a number of vulnerability and/or misconfiguration problems with said firewall; and wherein said fourth program instructions are recorded on said medium.
16. A method for reporting data flow vulnerabilities in a firewall, said method comprising:
generating and displaying a table including definitions of a plurality of rules, each of said definitions including an entry for a source IP address of a permitted but vulnerable data flow, an entry for a destination IP address of the permitted but vulnerable data flow, and an entry for a protocol or destination port of said permitted but vulnerable data flow; and wherein the generating and displaying includes:
color coding said source IP address entry in said table to indicate a security level of a source network containing said source IP address; and
color coding said destination IP address entry in said displayed table to indicate a security level of a destination network containing said destination IP address.
17. A method as set forth in claim 16 wherein said definition for each of said rules includes both said entry for said protocol and said entry for said destination port.
18. A method as set forth in claim 16 wherein the generating and displaying further comprises:
color coding said entry for said protocol and/or said entry for said destination port to indicate a severity of said vulnerability.
19. A method as set forth in claim 16 wherein said table also includes other definitions of another plurality of rules, each of said other definitions including an entry for a source IP address of a vulnerable, denied data flow, an entry for a destination address of the vulnerable, denied data flow, and an entry for a protocol or destination port of said vulnerable, denied data flow, and further comprising:
color coding said source IP address entry in said table to indicate a security level of a source network containing said source IP address of said vulnerable, denied data flow; and
color coding said destination IP address entry in said table to indicate a security level of a destination network containing said destination IP address of said vulnerable, denied data flow.
20. A computer program product for reporting data flow vulnerabilities in a firewall, said computer program product comprising:
a computer readable medium;
first program instructions to generate and display a table including definitions of a plurality of rules, each of said definitions including an entry for a source IP address of a permitted but vulnerable data flow, an entry for a destination IP address of the permitted but vulnerable data flow, and an entry for a protocol or destination port of said permitted but vulnerable data flow; and wherein said first program instructions include:
second program instructions to color code said source IP address entry in said table to indicate a security level of a source network containing said source IP address; and
third program instructions to color code said destination IP address entry in said displayed table to indicate a security level of a destination network containing said destination IP address; and wherein
said first, second and third program instructions are recorded on said medium.
21. A method for reporting data flow misconfigurations in a firewall, said method comprising:
generating and displaying a table including definitions of a plurality of rules, each of said definitions including an entry for a source IP address of a permitted but misconfigured data flow, an entry for a destination IP address of the permitted but misconfigured data flow, and an entry for a protocol or destination port of said permitted but misconfigured data flow, wherein the generating and displaying includes:
color coding said source IP address entry in said table to indicate a security level of a source network containing said source IP address; and
color coding said destination IP address entry in said table to indicate a security level of a destination network containing said destination IP address.
22. A method as set forth in claim 21 wherein said definition for each of said rules includes both said entry for said protocol and said entry for said destination port.
23. A method as set forth in claim 22 wherein the generating and displaying further comprises color coding said entry for said protocol or said entry for said port to indicate a severity of said misconfiguration.
24. A method as set forth in claim 21 wherein said table also includes other definitions of another plurality of rules, each of said other definitions including an entry for a source IP address of a misconfigured, denied data flow, an entry for a destination address of the misconfigured, denied data flow, and an entry for a protocol or destination port of said misconfigured, denied data flow, and the generating and displaying further comprises:
color coding said source IP address entry in said table to indicate a security level of a source network containing said source IP address of said misconfigured, denied data flow; and
color coding said destination IP address entry in said table to indicate a security level of a destination network containing said destination IP address of said misconfigured, denied data flow.
25. A computer program product for reporting data flow misconfigurations in a firewall, said computer program product comprising:
a computer readable medium;
first program instructions to generate and display a table including definitions of a plurality of rules, each of said definitions including an entry for a source IP address of a permitted but misconfigured data flow, an entry for a destination IP address of the permitted but misconfigured data flow, and an entry for a protocol or destination port of said permitted but misconfigured data flow, wherein said first program instructions include:
second program instructions to color code said source IP address entry in said table to indicate a security level of a source network containing said source IP address; and
third program instructions to color code said destination IP address entry in said table to indicate a security level of a destination network containing said destination IP address; and wherein
said first, second and third program instructions are recorded on said medium.
26. A computer program product as set forth in claim 25 wherein said definition for each of said rules includes both said entry for said protocol and said entry for said destination port.
27. A computer program product as set forth in claim 26 wherein the first program instructions further include fourth program instructions to color code said entry for said protocol or said entry for said port to indicate a severity of said misconfiguration; and wherein said fourth program instructions are recorded on said medium.
28. A computer program product as set forth in claim 25 wherein said table also includes other definitions of another plurality of rules, each of said other definitions including an entry for a source IP address of a misconfigured, denied data flow, an entry for a destination address of the misconfigured, denied data flow, and an entry for a protocol or destination port of said misconfigured, denied data flow, and the first program instructions further comprise:
fifth program instructions to color code said source IP address entry in said table to indicate a security level of a source network containing said source IP address of said misconfigured, denied data flow; and
sixth program instructions to color code said destination IP address entry in said table to indicate a security level of a destination network containing said destination IP address of said misconfigured, denied data flow; and wherein said fifth and sixth program instructions are recorded on said medium.
29. A method for reporting improper settings in a firewall, said method comprising:
generating and displaying a table including descriptions and security-risk severity ratings of a respective plurality of settings of said firewall, wherein some or all of said settings are improper, and wherein the generating and displaying includes:
color coding the security-risk ratings or descriptions of the improper settings to indicate respective security-risk severities of said improper settings.
US10/922,500 2004-08-19 2004-08-19 Method and apparatus for graphical presentation of firewall security policy Abandoned US20060041936A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US10/922,500 US20060041936A1 (en) 2004-08-19 2004-08-19 Method and apparatus for graphical presentation of firewall security policy
US13/430,186 US8701177B2 (en) 2004-08-19 2012-03-26 Method and apparatus for graphical presentation of firewall security policy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/922,500 US20060041936A1 (en) 2004-08-19 2004-08-19 Method and apparatus for graphical presentation of firewall security policy

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/430,186 Continuation US8701177B2 (en) 2004-08-19 2012-03-26 Method and apparatus for graphical presentation of firewall security policy

Publications (1)

Publication Number Publication Date
US20060041936A1 true US20060041936A1 (en) 2006-02-23

Family

ID=35911017

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/922,500 Abandoned US20060041936A1 (en) 2004-08-19 2004-08-19 Method and apparatus for graphical presentation of firewall security policy
US13/430,186 Active US8701177B2 (en) 2004-08-19 2012-03-26 Method and apparatus for graphical presentation of firewall security policy

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/430,186 Active US8701177B2 (en) 2004-08-19 2012-03-26 Method and apparatus for graphical presentation of firewall security policy

Country Status (1)

Country Link
US (2) US20060041936A1 (en)

Cited By (63)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060015934A1 (en) * 2004-07-15 2006-01-19 Algorithmic Security Inc Method and apparatus for automatic risk assessment of a firewall configuration
US20060072456A1 (en) * 2004-09-30 2006-04-06 Cisco Technology, Inc. Method and apparatus for device based policy configuration in a network
US20060156380A1 (en) * 2005-01-07 2006-07-13 Gladstone Philip J S Methods and apparatus providing security to computer systems and networks
US20060218399A1 (en) * 2005-03-28 2006-09-28 Cisco Technology, Inc.; Method and system indicating a level of security for VoIP calls through presence
US20060256731A1 (en) * 2005-05-16 2006-11-16 Cisco Technology, Inc. Method and system using shared configuration information to manage network access for network users
US20060259958A1 (en) * 2005-05-16 2006-11-16 Cisco Technology, Inc. Method and system using presence information to manage network access
US20060258332A1 (en) * 2005-05-16 2006-11-16 Cisco Technology, Inc.; Method and system to protect the privacy of presence information for network users
US20070143847A1 (en) * 2005-12-16 2007-06-21 Kraemer Jeffrey A Methods and apparatus providing automatic signature generation and enforcement
US20070230473A1 (en) * 2006-03-31 2007-10-04 Kyocera Mita Corporation Communication device
US20070266431A1 (en) * 2004-11-04 2007-11-15 Nec Corporation Firewall Inspecting System and Firewall Information Extraction System
US20070282953A1 (en) * 2006-05-31 2007-12-06 Microsoft Corporation Perimeter message filtering with extracted user-specific preferences
US20080034431A1 (en) * 2006-07-18 2008-02-07 Federal Network Systems Llc Color based network security
US20080104233A1 (en) * 2006-10-31 2008-05-01 Hewlett-Packard Development Company, L.P. Network communication method and apparatus
US20080141331A1 (en) * 2006-12-07 2008-06-12 Cisco Technology, Inc. Identify a secure end-to-end voice call
US20080148382A1 (en) * 2006-12-15 2008-06-19 International Business Machines Corporation System, method and program for managing firewalls
US20080175382A1 (en) * 2007-01-24 2008-07-24 Gearhart Curtis M Centralized secure offload of cryptographic security services for distributed security enforcement points
US20080253366A1 (en) * 2007-04-11 2008-10-16 Palo Alto Networks, Inc. L2/l3 multi-mode switch including policy processing
US20080282082A1 (en) * 2007-02-20 2008-11-13 Ricoh Company, Ltd. Network communication device
US20090055905A1 (en) * 2005-06-23 2009-02-26 Cognos Incorporated Access control list checking
US20090070866A1 (en) * 2007-09-11 2009-03-12 Erikson Glade Methods and systems for secure email transmissions
US7516367B1 (en) * 2008-05-30 2009-04-07 International Business Machines Corporation Automated, distributed problem determination and upgrade planning tool
US20090300748A1 (en) * 2008-06-02 2009-12-03 Secure Computing Corporation Rule combination in a firewall
US20100217989A1 (en) * 2005-03-23 2010-08-26 Microsoft Corporation Visualization of trust in an address bar
US20100242111A1 (en) * 2005-12-16 2010-09-23 Kraemer Jeffrey A Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing
US20100293617A1 (en) * 2004-07-15 2010-11-18 Avishai Wool Method and apparatus for automatic risk assessment of a firewall configuration
US20110023084A1 (en) * 2006-10-11 2011-01-27 Kraemer Jeffrey A Protection of computer resources
US8155014B2 (en) 2005-03-25 2012-04-10 Cisco Technology, Inc. Method and system using quality of service information for influencing a user's presence state
US20130067535A1 (en) * 2011-09-08 2013-03-14 Pantech Co., Ltd. Apparatus and method for controlling a network connection
CN103095490A (en) * 2011-12-16 2013-05-08 微软公司 Discovery and mining of performance information of a device for anticipatorily sending updates to the device
US20130247206A1 (en) * 2011-09-21 2013-09-19 Mcafee, Inc. System and method for grouping computer vulnerabilities
US8667573B2 (en) 2005-03-30 2014-03-04 Microsoft Corporation Validating the origin of web content
US20140075498A1 (en) * 2012-05-22 2014-03-13 Sri International Security mediation for dynamically programmable network
US8701177B2 (en) 2004-08-19 2014-04-15 International Business Machines Corporation Method and apparatus for graphical presentation of firewall security policy
US20140281741A1 (en) * 2013-03-15 2014-09-18 Khushboo Shah Bohacek Method, user interface and apparatus for cloud service confidence level generation and display
US20150040232A1 (en) * 2003-07-01 2015-02-05 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US20160072815A1 (en) * 2013-06-14 2016-03-10 Catbird Networks, Inc. Systems and methods for creating and modifying access control lists
US20160344773A1 (en) * 2015-05-19 2016-11-24 Cisco Technology, Inc. Integrated Development Environment (IDE) for Network Security Configuration Files
US20170213024A1 (en) * 2014-07-24 2017-07-27 Schatz Forensic Pty Ltd System and Method for Simultaneous Forensic, Acquisition, Examination and Analysis of a Computer Readable Medium at Wire Speed
US9749351B2 (en) 2013-05-31 2017-08-29 Catbird Networks, Inc. Systems and methods for dynamic network security control and configuration
US9912549B2 (en) 2013-06-14 2018-03-06 Catbird Networks, Inc. Systems and methods for network analysis and reporting
US20180069865A1 (en) * 2014-09-05 2018-03-08 Catbird Networks, Inc. Systems and Methods for Creating and Modifying Access Control Lists
US10166572B2 (en) 2006-12-29 2019-01-01 Kip Prod P1 Lp Display inserts, overlays, and graphical user interfaces for multimedia systems
US10210333B2 (en) * 2016-06-30 2019-02-19 General Electric Company Secure industrial control platform
US10225096B2 (en) 2006-12-29 2019-03-05 Kip Prod Pi Lp System and method for providing network support services and premises gateway support infrastructure
US20190245888A1 (en) * 2008-06-19 2019-08-08 Csc Agility Platform, Inc. System and method for a cloud computing abstraction layer with security zone facilities
US10403394B2 (en) 2006-12-29 2019-09-03 Kip Prod P1 Lp Multi-services application gateway and system employing the same
WO2019183371A1 (en) * 2018-03-22 2019-09-26 Apomatix Inc. Networked computer-system management and control
US10462177B1 (en) * 2019-02-06 2019-10-29 Xm Cyber Ltd. Taking privilege escalation into account in penetration testing campaigns
US20190342335A1 (en) * 2018-04-10 2019-11-07 Nutanix, Inc. Creation of security policies using a visual approach
US10666673B2 (en) 2017-02-27 2020-05-26 Catbird Networks, Inc. Behavioral baselining of network systems
US10880189B2 (en) 2008-06-19 2020-12-29 Csc Agility Platform, Inc. System and method for a cloud computing abstraction with self-service portal for publishing resources
US11196636B2 (en) 2013-06-14 2021-12-07 Catbird Networks, Inc. Systems and methods for network data flow aggregation
US11258763B2 (en) 2016-11-25 2022-02-22 Cybernetiq, Inc. Computer network security configuration visualization and control system
US11316688B2 (en) 2006-12-29 2022-04-26 Kip Prod P1 Lp Multi-services application gateway and system employing the same
US11469952B2 (en) * 2017-06-19 2022-10-11 Cisco Technology, Inc. Identifying mismatches between a logical model and node implementation
US11595390B2 (en) * 2014-12-23 2023-02-28 Mcafee, Llc Self-organizing trusted networks
US11783925B2 (en) 2006-12-29 2023-10-10 Kip Prod P1 Lp Multi-services application gateway and system employing the same
US11943351B2 (en) 2006-12-29 2024-03-26 Kip Prod P1 Lp Multi-services application gateway and system employing the same

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9390408B2 (en) 2006-12-01 2016-07-12 Sk Planet Co., Ltd. Method and apparatus for providing gift by using communication network and system including the apparatus
US9990667B2 (en) 2006-12-01 2018-06-05 Sk Planet Co., Ltd. Method and apparatus for providing a gift using a mobile communication network and system including the apparatus
US20150254145A1 (en) * 2014-03-07 2015-09-10 Microsoft Corporation Operating system/hypervisor efficiencies for sub-divided privilege levels
US9531757B2 (en) * 2015-01-20 2016-12-27 Cisco Technology, Inc. Management of security policies across multiple security products
US11516182B2 (en) * 2019-04-10 2022-11-29 Google Llc Firewall rules intelligence

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5991807A (en) * 1996-06-24 1999-11-23 Nortel Networks Corporation System for controlling users access to a distributive network in accordance with constraints present in common access distributive network interface separate from a server
US5999179A (en) * 1997-11-17 1999-12-07 Fujitsu Limited Platform independent computer network management client
US6044402A (en) * 1997-07-02 2000-03-28 Iowa State University Research Foundation Network connection blocker, method, and computer readable memory for monitoring connections in a computer network and blocking the unwanted connections
US20040010718A1 (en) * 1998-11-09 2004-01-15 Porras Phillip Andrew Network surveillance
US20040143658A1 (en) * 2003-01-17 2004-07-22 Chris Newton Method and apparatus for permitting visualizing network data
US20040162992A1 (en) * 2003-02-19 2004-08-19 Sami Vikash Krishna Internet privacy protection device
US6816897B2 (en) * 2001-04-30 2004-11-09 Opsware, Inc. Console mapping tool for automated deployment and management of network devices
US7076393B2 (en) * 2003-10-03 2006-07-11 Verizon Services Corp. Methods and apparatus for testing dynamic network firewalls
US7093005B2 (en) * 2000-02-11 2006-08-15 Terraspring, Inc. Graphical editor for defining and creating a computer system
US7257630B2 (en) * 2002-01-15 2007-08-14 Mcafee, Inc. System and method for network vulnerability detection and reporting

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5864666A (en) 1996-12-23 1999-01-26 International Business Machines Corporation Web-based administration of IP tunneling on internet firewalls
US6484261B1 (en) 1998-02-17 2002-11-19 Cisco Technology, Inc. Graphical network security policy management
US6170014B1 (en) 1998-03-25 2001-01-02 Community Learning And Information Network Computer architecture for managing courseware in a shared use operating environment
US7016980B1 (en) 2000-01-18 2006-03-21 Lucent Technologies Inc. Method and apparatus for analyzing one or more firewalls
US20030084098A1 (en) 2000-04-13 2003-05-01 Daniel Lavin Navigation server for use with, for example, a wireless web access device having a navigation control unit
US7664845B2 (en) 2002-01-15 2010-02-16 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7774839B2 (en) * 2002-11-04 2010-08-10 Riverbed Technology, Inc. Feedback mechanism to minimize false assertions of a network intrusion
US7421734B2 (en) * 2003-10-03 2008-09-02 Verizon Services Corp. Network firewall test methods and apparatus
US7567523B2 (en) * 2004-01-29 2009-07-28 Microsoft Corporation System and method for network topology discovery
US20060041936A1 (en) 2004-08-19 2006-02-23 International Business Machines Corporation Method and apparatus for graphical presentation of firewall security policy

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5991807A (en) * 1996-06-24 1999-11-23 Nortel Networks Corporation System for controlling users access to a distributive network in accordance with constraints present in common access distributive network interface separate from a server
US6044402A (en) * 1997-07-02 2000-03-28 Iowa State University Research Foundation Network connection blocker, method, and computer readable memory for monitoring connections in a computer network and blocking the unwanted connections
US5999179A (en) * 1997-11-17 1999-12-07 Fujitsu Limited Platform independent computer network management client
US20040010718A1 (en) * 1998-11-09 2004-01-15 Porras Phillip Andrew Network surveillance
US20040221191A1 (en) * 1998-11-09 2004-11-04 Porras Phillip Andrew Network surveillance
US7093005B2 (en) * 2000-02-11 2006-08-15 Terraspring, Inc. Graphical editor for defining and creating a computer system
US6816897B2 (en) * 2001-04-30 2004-11-09 Opsware, Inc. Console mapping tool for automated deployment and management of network devices
US7257630B2 (en) * 2002-01-15 2007-08-14 Mcafee, Inc. System and method for network vulnerability detection and reporting
US20040143658A1 (en) * 2003-01-17 2004-07-22 Chris Newton Method and apparatus for permitting visualizing network data
US20040162992A1 (en) * 2003-02-19 2004-08-19 Sami Vikash Krishna Internet privacy protection device
US7076393B2 (en) * 2003-10-03 2006-07-11 Verizon Services Corp. Methods and apparatus for testing dynamic network firewalls

Cited By (143)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8984644B2 (en) * 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9225686B2 (en) 2003-07-01 2015-12-29 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US10050988B2 (en) 2003-07-01 2018-08-14 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10154055B2 (en) 2003-07-01 2018-12-11 Securityprofiling, Llc Real-time vulnerability monitoring
US20150040232A1 (en) * 2003-07-01 2015-02-05 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10104110B2 (en) 2003-07-01 2018-10-16 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10021124B2 (en) 2003-07-01 2018-07-10 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US8677496B2 (en) 2004-07-15 2014-03-18 AlgoSec Systems Ltd. Method and apparatus for automatic risk assessment of a firewall configuration
US20060015934A1 (en) * 2004-07-15 2006-01-19 Algorithmic Security Inc Method and apparatus for automatic risk assessment of a firewall configuration
US20100293617A1 (en) * 2004-07-15 2010-11-18 Avishai Wool Method and apparatus for automatic risk assessment of a firewall configuration
US8701177B2 (en) 2004-08-19 2014-04-15 International Business Machines Corporation Method and apparatus for graphical presentation of firewall security policy
US20060072456A1 (en) * 2004-09-30 2006-04-06 Cisco Technology, Inc. Method and apparatus for device based policy configuration in a network
US8595347B2 (en) * 2004-09-30 2013-11-26 Cisco Technology, Inc. Method and apparatus for device based policy configuration in a network
US20070266431A1 (en) * 2004-11-04 2007-11-15 Nec Corporation Firewall Inspecting System and Firewall Information Extraction System
US7979889B2 (en) * 2005-01-07 2011-07-12 Cisco Technology, Inc. Methods and apparatus providing security to computer systems and networks
US20060156380A1 (en) * 2005-01-07 2006-07-13 Gladstone Philip J S Methods and apparatus providing security to computer systems and networks
US20100217989A1 (en) * 2005-03-23 2010-08-26 Microsoft Corporation Visualization of trust in an address bar
US8843749B2 (en) * 2005-03-23 2014-09-23 Microsoft Corporation Visualization of trust in an address bar
US9444630B2 (en) 2005-03-23 2016-09-13 Microsoft Technology Licensing, Llc Visualization of trust in an address bar
US9838380B2 (en) 2005-03-23 2017-12-05 Zhigu Holdings Limited Visualization of trust in an address bar
US8155014B2 (en) 2005-03-25 2012-04-10 Cisco Technology, Inc. Method and system using quality of service information for influencing a user's presence state
US20060218399A1 (en) * 2005-03-28 2006-09-28 Cisco Technology, Inc.; Method and system indicating a level of security for VoIP calls through presence
US8015403B2 (en) * 2005-03-28 2011-09-06 Cisco Technology, Inc. Method and system indicating a level of security for VoIP calls through presence
US8667573B2 (en) 2005-03-30 2014-03-04 Microsoft Corporation Validating the origin of web content
US20060256731A1 (en) * 2005-05-16 2006-11-16 Cisco Technology, Inc. Method and system using shared configuration information to manage network access for network users
US7920847B2 (en) 2005-05-16 2011-04-05 Cisco Technology, Inc. Method and system to protect the privacy of presence information for network users
US7764699B2 (en) * 2005-05-16 2010-07-27 Cisco Technology, Inc. Method and system using shared configuration information to manage network access for network users
US20060259958A1 (en) * 2005-05-16 2006-11-16 Cisco Technology, Inc. Method and system using presence information to manage network access
US20060258332A1 (en) * 2005-05-16 2006-11-16 Cisco Technology, Inc.; Method and system to protect the privacy of presence information for network users
US8079062B2 (en) 2005-05-16 2011-12-13 Cisco Technology, Inc. Method and system using presence information to manage network access
US7805513B2 (en) * 2005-06-23 2010-09-28 International Business Machines Corporation Access control list checking
US20090055905A1 (en) * 2005-06-23 2009-02-26 Cognos Incorporated Access control list checking
US8255995B2 (en) 2005-12-16 2012-08-28 Cisco Technology, Inc. Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing
US20070143847A1 (en) * 2005-12-16 2007-06-21 Kraemer Jeffrey A Methods and apparatus providing automatic signature generation and enforcement
US8495743B2 (en) 2005-12-16 2013-07-23 Cisco Technology, Inc. Methods and apparatus providing automatic signature generation and enforcement
US20100242111A1 (en) * 2005-12-16 2010-09-23 Kraemer Jeffrey A Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing
US20070230473A1 (en) * 2006-03-31 2007-10-04 Kyocera Mita Corporation Communication device
US8028026B2 (en) * 2006-05-31 2011-09-27 Microsoft Corporation Perimeter message filtering with extracted user-specific preferences
US20070282953A1 (en) * 2006-05-31 2007-12-06 Microsoft Corporation Perimeter message filtering with extracted user-specific preferences
US20080034431A1 (en) * 2006-07-18 2008-02-07 Federal Network Systems Llc Color based network security
US8424096B2 (en) * 2006-07-18 2013-04-16 Verizon Patent And Licensing Inc. Color based network security
US8225373B2 (en) 2006-10-11 2012-07-17 Cisco Technology, Inc. Protection of computer resources
US20110023084A1 (en) * 2006-10-11 2011-01-27 Kraemer Jeffrey A Protection of computer resources
US20080104233A1 (en) * 2006-10-31 2008-05-01 Hewlett-Packard Development Company, L.P. Network communication method and apparatus
US20080141331A1 (en) * 2006-12-07 2008-06-12 Cisco Technology, Inc. Identify a secure end-to-end voice call
US7852783B2 (en) 2006-12-07 2010-12-14 Cisco Technology, Inc. Identify a secure end-to-end voice call
US8250642B2 (en) 2006-12-15 2012-08-21 International Business Machines Corporation System, method and program for managing firewalls
US8640218B2 (en) 2006-12-15 2014-01-28 International Business Machines Corporation System, method and program for managing firewalls
US20080148382A1 (en) * 2006-12-15 2008-06-19 International Business Machines Corporation System, method and program for managing firewalls
US20110030048A1 (en) * 2006-12-15 2011-02-03 International Business Machines Corporation System, method and program for managing firewalls
US10785050B2 (en) 2006-12-29 2020-09-22 Kip Prod P1 Lp Multi-services gateway device at user premises
US11183282B2 (en) 2006-12-29 2021-11-23 Kip Prod Pi Lp Multi-services application gateway and system employing the same
US11943351B2 (en) 2006-12-29 2024-03-26 Kip Prod P1 Lp Multi-services application gateway and system employing the same
US11876637B2 (en) 2006-12-29 2024-01-16 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US11792035B2 (en) 2006-12-29 2023-10-17 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US11783925B2 (en) 2006-12-29 2023-10-10 Kip Prod P1 Lp Multi-services application gateway and system employing the same
US11750412B2 (en) 2006-12-29 2023-09-05 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US11695585B2 (en) 2006-12-29 2023-07-04 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US11588658B2 (en) 2006-12-29 2023-02-21 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US11582057B2 (en) 2006-12-29 2023-02-14 Kip Prod Pi Lp Multi-services gateway device at user premises
US11533190B2 (en) 2006-12-29 2022-12-20 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US11527311B2 (en) 2006-12-29 2022-12-13 Kip Prod P1 Lp Multi-services application gateway and system employing the same
US11489689B2 (en) 2006-12-29 2022-11-01 Kip Prod Pi Lp System and method for providing network support services and premises gateway support infrastructure
US11457259B2 (en) 2006-12-29 2022-09-27 Kip Prod P1 Lp Display inserts, overlays, and graphical user interfaces for multimedia systems
US11381414B2 (en) 2006-12-29 2022-07-05 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US11362851B2 (en) 2006-12-29 2022-06-14 Kip Prod Pi Lp System and method for providing network support services and premises gateway support infrastructure
US11363318B2 (en) 2006-12-29 2022-06-14 Kip Prod Pi Lp Display inserts, overlays, and graphical user interfaces for multimedia systems
US11329840B2 (en) 2006-12-29 2022-05-10 Kip Prod P1 Lp Voice control of endpoint devices through a multi-services gateway device at the user premises
US11323281B2 (en) 2006-12-29 2022-05-03 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US11316688B2 (en) 2006-12-29 2022-04-26 Kip Prod P1 Lp Multi-services application gateway and system employing the same
US11184188B2 (en) 2006-12-29 2021-11-23 Kip Prod Pi Lp System and method for providing network support services and premises gateway support infrastructure
US11173517B2 (en) 2006-12-29 2021-11-16 Kip Prod P1 Lp Display inserts, overlays, and graphical user interfaces for multimedia systems
US11164664B2 (en) 2006-12-29 2021-11-02 Kip Prod P1 Lp Multi-services application gateway and system employing the same
US11102025B2 (en) 2006-12-29 2021-08-24 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US11057237B2 (en) 2006-12-29 2021-07-06 Kip Prod Pi Lp System and method for providing network support services and premises gateway support infrastructure
US11032097B2 (en) 2006-12-29 2021-06-08 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US10897373B2 (en) 2006-12-29 2021-01-19 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US10812283B2 (en) 2006-12-29 2020-10-20 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US10166572B2 (en) 2006-12-29 2019-01-01 Kip Prod P1 Lp Display inserts, overlays, and graphical user interfaces for multimedia systems
US10728051B2 (en) 2006-12-29 2020-07-28 Kip Prod Pi Lp System and method for providing network support services and premises gateway support infrastructure
US10225096B2 (en) 2006-12-29 2019-03-05 Kip Prod Pi Lp System and method for providing network support services and premises gateway support infrastructure
US10263803B2 (en) 2006-12-29 2019-04-16 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US10673645B2 (en) 2006-12-29 2020-06-02 Kip Prod Pi Lp Systems and method for providing network support services and premises gateway support infrastructure
US10672508B2 (en) 2006-12-29 2020-06-02 Kip Prod P1 Lp Multi-services application gateway and system employing the same
US10646897B2 (en) 2006-12-29 2020-05-12 Kip Prod P1 Lp Display inserts, overlays, and graphical user interfaces for multimedia systems
US10361877B2 (en) 2006-12-29 2019-07-23 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US10630501B2 (en) 2006-12-29 2020-04-21 Kip Prod P1 Lp System and method for providing network support services and premises gateway support infrastructure
US10403394B2 (en) 2006-12-29 2019-09-03 Kip Prod P1 Lp Multi-services application gateway and system employing the same
US10530600B2 (en) 2006-12-29 2020-01-07 Kip Prod P1 Lp Systems and method for providing network support services and premises gateway support infrastructure
US20080175382A1 (en) * 2007-01-24 2008-07-24 Gearhart Curtis M Centralized secure offload of cryptographic security services for distributed security enforcement points
US9137203B2 (en) * 2007-01-24 2015-09-15 International Business Machines Corporation Centralized secure offload of cryptographic security services for distributed security enforcement points
US8065723B2 (en) * 2007-02-20 2011-11-22 Ricoh Company, Ltd. Network communication device
US20080282082A1 (en) * 2007-02-20 2008-11-13 Ricoh Company, Ltd. Network communication device
US20140119376A1 (en) * 2007-04-11 2014-05-01 Palo Alto Networks, Inc. L2/l3 multi-mode switch including policy processing
US8594085B2 (en) * 2007-04-11 2013-11-26 Palo Alto Networks, Inc. L2/L3 multi-mode switch including policy processing
US9294394B2 (en) * 2007-04-11 2016-03-22 Palo Alto Networks, Inc. L2/L3 multi-mode switch including policy processing
US20080253366A1 (en) * 2007-04-11 2008-10-16 Palo Alto Networks, Inc. L2/l3 multi-mode switch including policy processing
US20090070866A1 (en) * 2007-09-11 2009-03-12 Erikson Glade Methods and systems for secure email transmissions
US7516367B1 (en) * 2008-05-30 2009-04-07 International Business Machines Corporation Automated, distributed problem determination and upgrade planning tool
US20090300748A1 (en) * 2008-06-02 2009-12-03 Secure Computing Corporation Rule combination in a firewall
US20190245888A1 (en) * 2008-06-19 2019-08-08 Csc Agility Platform, Inc. System and method for a cloud computing abstraction layer with security zone facilities
US10880189B2 (en) 2008-06-19 2020-12-29 Csc Agility Platform, Inc. System and method for a cloud computing abstraction with self-service portal for publishing resources
US20210014275A1 (en) * 2008-06-19 2021-01-14 Csc Agility Platform, Inc. System and method for a cloud computing abstraction layer with security zone facilities
US20130067535A1 (en) * 2011-09-08 2013-03-14 Pantech Co., Ltd. Apparatus and method for controlling a network connection
US20130247206A1 (en) * 2011-09-21 2013-09-19 Mcafee, Inc. System and method for grouping computer vulnerabilities
US9811667B2 (en) * 2011-09-21 2017-11-07 Mcafee, Inc. System and method for grouping computer vulnerabilities
US20130159500A1 (en) * 2011-12-16 2013-06-20 Microsoft Corporation Discovery and mining of performance information of a device for anticipatorily sending updates to the device
US10979290B2 (en) 2011-12-16 2021-04-13 Microsoft Technology Licensing, Llc Discovery and mining of performance information of a device for anticipatorily sending updates to the device
US9531588B2 (en) * 2011-12-16 2016-12-27 Microsoft Technology Licensing, Llc Discovery and mining of performance information of a device for anticipatorily sending updates to the device
CN103095490A (en) * 2011-12-16 2013-05-08 微软公司 Discovery and mining of performance information of a device for anticipatorily sending updates to the device
US10333988B2 (en) 2012-05-22 2019-06-25 Sri International Security mediation for dynamically programmable network
US9705918B2 (en) * 2012-05-22 2017-07-11 Sri International Security mediation for dynamically programmable network
US20140075498A1 (en) * 2012-05-22 2014-03-13 Sri International Security mediation for dynamically programmable network
US20140281741A1 (en) * 2013-03-15 2014-09-18 Khushboo Shah Bohacek Method, user interface and apparatus for cloud service confidence level generation and display
US10862920B2 (en) 2013-05-31 2020-12-08 Catbird Networks, Inc. Systems and methods for dynamic network security control and configuration
US10356121B2 (en) 2013-05-31 2019-07-16 Catbird Networks, Inc. Systems and methods for dynamic network security control and configuration
US9749351B2 (en) 2013-05-31 2017-08-29 Catbird Networks, Inc. Systems and methods for dynamic network security control and configuration
US9912549B2 (en) 2013-06-14 2018-03-06 Catbird Networks, Inc. Systems and methods for network analysis and reporting
US9769174B2 (en) * 2013-06-14 2017-09-19 Catbird Networks, Inc. Systems and methods for creating and modifying access control lists
US11196636B2 (en) 2013-06-14 2021-12-07 Catbird Networks, Inc. Systems and methods for network data flow aggregation
US20160072815A1 (en) * 2013-06-14 2016-03-10 Catbird Networks, Inc. Systems and methods for creating and modifying access control lists
US20170213024A1 (en) * 2014-07-24 2017-07-27 Schatz Forensic Pty Ltd System and Method for Simultaneous Forensic, Acquisition, Examination and Analysis of a Computer Readable Medium at Wire Speed
US10354062B2 (en) * 2014-07-24 2019-07-16 Schatz Forensic Pty Ltd System and method for simultaneous forensic, acquisition, examination and analysis of a computer readable medium at wire speed
US20180069865A1 (en) * 2014-09-05 2018-03-08 Catbird Networks, Inc. Systems and Methods for Creating and Modifying Access Control Lists
US11012318B2 (en) 2014-09-05 2021-05-18 Catbird Networks, Inc. Systems and methods for network analysis and reporting
US10728251B2 (en) * 2014-09-05 2020-07-28 Catbird Networks, Inc. Systems and methods for creating and modifying access control lists
US11595390B2 (en) * 2014-12-23 2023-02-28 Mcafee, Llc Self-organizing trusted networks
US9787722B2 (en) * 2015-05-19 2017-10-10 Cisco Technology, Inc. Integrated development environment (IDE) for network security configuration files
US20160344773A1 (en) * 2015-05-19 2016-11-24 Cisco Technology, Inc. Integrated Development Environment (IDE) for Network Security Configuration Files
US10210333B2 (en) * 2016-06-30 2019-02-19 General Electric Company Secure industrial control platform
CN110325995A (en) * 2016-06-30 2019-10-11 通用电气公司 The industrial control platform of safety
US11258763B2 (en) 2016-11-25 2022-02-22 Cybernetiq, Inc. Computer network security configuration visualization and control system
US10666673B2 (en) 2017-02-27 2020-05-26 Catbird Networks, Inc. Behavioral baselining of network systems
US11469952B2 (en) * 2017-06-19 2022-10-11 Cisco Technology, Inc. Identifying mismatches between a logical model and node implementation
WO2019183371A1 (en) * 2018-03-22 2019-09-26 Apomatix Inc. Networked computer-system management and control
US20190342335A1 (en) * 2018-04-10 2019-11-07 Nutanix, Inc. Creation of security policies using a visual approach
US11057432B2 (en) * 2018-04-10 2021-07-06 Nutanix, Inc. Creation of security policies using a visual approach
US10462177B1 (en) * 2019-02-06 2019-10-29 Xm Cyber Ltd. Taking privilege escalation into account in penetration testing campaigns

Also Published As

Publication number Publication date
US20120216270A1 (en) 2012-08-23
US8701177B2 (en) 2014-04-15

Similar Documents

Publication Publication Date Title
US8701177B2 (en) Method and apparatus for graphical presentation of firewall security policy
US11258763B2 (en) Computer network security configuration visualization and control system
US8176561B1 (en) Assessing network security risk using best practices
US10091220B2 (en) Platform for protecting small and medium enterprises from cyber security threats
US9094434B2 (en) System and method for automated policy audit and remediation management
US8135815B2 (en) Method and apparatus for network wide policy-based analysis of configurations of devices
US7627891B2 (en) Network audit and policy assurance system
EP1559008B1 (en) Method for risk detection and analysis in a computer network
US20060174337A1 (en) System, method and program product to identify additional firewall rules that may be needed
US20180270109A1 (en) Management of network device configuration settings
KR20060028390A (en) Security checking program for communication between networks
US20220116423A1 (en) Visualizing firewall-permitted network paths for assessing security of network configuration
Cisco Cisco Secure Intrusion Detection System Sensor Configuration Note Version 2.5
Cisco Cisco Intrusion Detection System Sensor Getting Started Version 3.1
Cisco Cisco Intrusion Detection System Sensor Device Manager Configuration Note Version 3.1
Cisco Cisco Secure Intrusion Detection System Sensor Configuration Note Version 3.0
Nilsson et al. Vulnerability scanners
Stefanek Information security best practices: 205 basic rules
Ranathunga Auto-configuration of critical network infrastructure
Antoine et al. Router Security Configuration Guide
Pravail 2100 Series Appliances Version 5.4
Borza et al. Router Security Configuration Guide
Safford et al. For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. Email: office@ usenix. org 4. WWW URL: https://www. usenix. org
Solutions Hewlett-Packard A5547A Central Web Console Administrator Guide
Press CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ANDERSON, BROOKE MADSEN;BUNN, WILLIAM C.;KARNES, MARY;AND OTHERS;REEL/FRAME:017349/0856;SIGNING DATES FROM 20041117 TO 20041122

STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION

AS Assignment

Owner name: KYNDRYL, INC., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:058213/0912

Effective date: 20211118