Determining firewall rules for reverse firewalls
Abstract
A reverse firewall for removing undesirable traffic from a computing network, such as a virtual private network (VPN), is disclosed. The reverse firewall uses firewall rules that may be determined and maintained within the enterprise network to control communication sent between computers in the computing network. The reverse firewall rules may be used to identify the communications between computers in the network that are undesirable and/or intrusive. For example, a computer in a network that is infected with a worm or that is surreptitiously hosting a denial-of-service attack may be identified by the reverse firewall and quarantined. The reverse firewall may be implemented in hardware and/or software.
Claims
exact text as granted — not AI-modified1 . A method for securing a network using a reverse firewall, the reverse firewall accessing a profile of a host in the network, the method comprising the steps of:
at the reverse firewall, receiving a network communication from a host in the network; if parameters of the network communication from the host are in the profile of the host, allowing the network communication from the host; and if parameters of the network communication from the host are not in the profile of the host, enforcing a throttling discipline on the network communication to determine whether to allow or to block the network communication from the host.
2 . The method of claim 1 , the reverse firewall further comprising an out-of-profile counter for each host in the network, the method further comprising the steps of:
updating the out-of-profile counter for the host, if the parameters of the network communication from the host are not in the profile of the host.
3 . The method of claim 2 , wherein the throttling discipline is a n-r-relaxed discipline.
4 . The method of claim 2 , wherein the throttling discipline is a n-r-strict discipline.
5 . The method of claim 2 , wherein the throttling discipline is a n-r-open discipline for controlling out-of-profile network communication from the host.
6 . The method of claim 4 , the value of n being zero, and all network communication from the host being blocked when an out-of-profile network communication is attempted by the host.
7 . The method of claim 1 , the parameters of the network communication from the host being in the profile of the host if the destination address, destination port, and protocol of the network communication are present in the profile of the host.
8 . The method of claim 1 , the parameters of the network communication from the host being in the profile of the host if the destination address and the destination port of the network communication are present in the profile of the host.
9 . The method of claim 1 , the parameters of the network communication from the host being in the profile of the host if the destination address of the network communication is present in the profile of the host.
10 . A method for determining a communications management policy for a reverse firewall in a network, the method comprising the steps of:
generating a profile for a host in the network; and setting a throttling discipline for out-of-profile network communication from the host.
11 . The method of claim 10 , the step of generating a profile of a host including generating an initial set of rules corresponding to network communication originating from the host, and at least some of the initial set of rules are based on an analysis of network communication between a plurality of hosts in the network during a learning period.
12 . The method of claim 11 , the profile of the host comprising PCSPP rules.
13 . The method of claim 11 , the profile of the host comprising PCSP rules.
14 . The method of claim 11 , the profile of the host comprising PSP rules.
15 . The method of claim 10 , further comprising the step of:
updating the profile of the host in the network, the profile being stored in the reverse firewall.
16 . The method of claim 15 , the step of updating the profile of the host including automatically updating the set of rules to accommodate for known undesirable network communication.
17 . The method of claim 16 , the known undesirable network communication comprising at least one of: tcp communication between two hosts in the network that consists of less than three packets in each direction; udp communication between two hosts in the network that consists of less than two packets in either direction; and no icmp data communication.
18 . A network device for controlling a network communication sent from a host in a network, the network device configured to enforce a profile of the host and a throttling discipline, the device comprising:
a memory unit storing a set of rules corresponding to the profile of the host in the network, the network device accessing the memory unit to identify the set of rules corresponding to the profile of the host in the network; and an out-of-profile counter for use by the network device to enforce the throttling discipline.
19 . The device of claim 18 , the network device comprising a programmable router configured as a reverse firewall, the host in the network being connected to the network device.
20 . The device of claim 18 coupled to an out-of-profile-counter, the out-of-profile counter being provided for each host in the network, the profile being stored in the memory unit, and the out-of-profile counter comprising a number and a timer.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.