US9270704B2 - Modeling network devices for behavior analysis - Google Patents
Modeling network devices for behavior analysis Download PDFInfo
- Publication number
- US9270704B2 US9270704B2 US14/209,771 US201414209771A US9270704B2 US 9270704 B2 US9270704 B2 US 9270704B2 US 201414209771 A US201414209771 A US 201414209771A US 9270704 B2 US9270704 B2 US 9270704B2
- Authority
- US
- United States
- Prior art keywords
- behavior
- group
- rules
- communication packet
- network device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
Definitions
- aspects of the present invention relate to networks of computing devices and, more particularly, aspects of the present invention involve network devices, such as Open Systems Interconnection (OSI) Layer 3 network devices like firewalls, routers and switches and the security, routing, and translation functions associated with such devices.
- OSI Open Systems Interconnection
- Firewall and “firewall device” throughout this document refers to such OSI Layer 3 network devices and functions associated with such devices.
- a firewall device is typically deployed in most networks.
- a firewall device is a software or hardware-based device that controls incoming and outgoing traffic to/from a network through an ordered set of rules, collectively referred to as a firewall policy.
- the primary purpose of a firewall is to act as the first line of defense against malicious and unauthorized traffic from affecting a network, keeping the information that an organization does not want out, while allowing approved access to flow into and out of the network.
- firewall policy While a static firewall policy may somewhat protect a network, a firewall policy with the ability to adapt to the ever-changing environment of a network, such as the Internet, allows the firewall to defend against the newest types of malicious attacks.
- management of a firewall policy quickly becomes overwhelming for network managers or engineers.
- Many firewall devices today include rule-sets with thousands of rules that continually grow as more and more threats to the network are identified. As such, the ability to accurately and confidently understand a firewall policy and know what changes have occurred is more difficult than ever and continues to increase in complexity with every passing day.
- firewall policies consisting of a list of rules
- attempting to model the entire firewall introduces an additional set of attributes possessed by most modern firewall vendors.
- Multiple ingress and egress interfaces, traffic routing tables, multiple security policies, and network address translation (NAT) broaden the definition of a firewall such that modeling the behavior of a firewall becomes more than an ordered list of rules. Therefore, the ability to accurately and confidently understand the firewall device and know what changes have occurred are more difficult than ever, and continue to increase in complexity.
- One implementation of the present disclosure may take the form of method for modeling behavior of a networking device.
- the method includes the operations of obtaining a plurality of behavior rules, the plurality of behavior rules defining the processing of a communication packet by the networking device, the communication packet comprising at least one predicate value and collecting the plurality of behavior rules into at least one behavior group.
- the method further includes creating, utilizing a processing device, a spanning graph of a policy of the networking device comprising representations of one or more ingress ports to the networking device, representations of one or more egress ports from the networking device, and representations of the at least one behavior group, the spanning graph configured to display a communication pathway comprising at least one of the one or more ingress ports, the at least one behavior group, and at least one egress port of the networking device and providing the spanning graph to a user of the network device.
- Another implementation of the present disclosure may take the form of a non-transitory computer-readable medium encoded with instructions for modeling behavior of a network device, the instructions executable by a processor.
- the instructions include the operations of obtaining a plurality of behavior rules from a policy of the network device, the plurality of behavior rules defining the processing of a communication packet by the network device, the communication packet comprising at least one predicate value and collecting the plurality of behavior rules into at least one behavior group representation such that the at least one behavior group representation comprises a portion of the plurality of behavior rules.
- the instructions include creating a spanning graph comprising representations of one or more ingress ports to the network device, representations of one or more egress ports from the network device, at least one behavior group representation, and at least one directed edge between the representations of one or more ingress ports, the at least one behavior group representation and the representations of one or more egress ports such that the flow indicator displays a communication pathway of a communication packet through the network device and providing the spanning graph to a user of the network device.
- Yet another implementation of the present disclosure takes the form of a system for modeling a network policy rule set.
- the system includes a processing device and a computer-readable medium with one or more executable instructions stored thereon. When the instructions are executed, the system performs the operations of obtaining a plurality of behavior rules from the network policy rule set, the plurality of behavior rules defining the processing of a communication packet by the network device and collecting the plurality of behavior rules into a plurality of behavior groups representations such that each of the plurality of behavior groups representations comprise a portion of the plurality of behavior rules.
- the instructions include creating a spanning graph of the network policy comprising representations of one or more ingress ports to the network device, representations of one or more egress ports to the network device, the representations of the plurality of behavior groups, and at least one directed edge between the representations of one or more ingress ports, the representations of the plurality of behavior groups and the representations of one or more egress ports such that the flow indicator displays a communication pathway of a communication packet through the network device and providing the spanning graph to a user of the network device.
- FIG. 1 illustrates an example network environment that may implement various systems and methods of the present disclosure.
- FIG. 2 is an example access control table for a firewall interface.
- FIG. 3 is an example routing table for a firewall interface.
- FIG. 4 is an example network address translation table for a firewall interface.
- FIG. 5 is a flow chart illustrating a method for modeling the behavior or communication paths through a firewall.
- FIG. 6A is an example spanning graph that represents the function of a firewall device with a routing and security group.
- FIG. 6B is the spanning graph of FIG. 6A with an integrated interface switch.
- FIG. 7 is an example spanning graph that represents the function of a firewall device obtained through the operations of the flowchart of FIG. 5 .
- FIG. 8 illustrates a spanning graph that utilizes virtual routing behavior groups comprising virtual routing behavior rules.
- FIG. 9 illustrates a spanning graph that utilizes an interface switch for illustration of modeling multiple zone policies with a global policy utilizing multiple interface switches.
- FIG. 10 is a flowchart illustrating a method for utilizing a Firewall Policy Diagram with a spanning graph of a firewall function.
- FIG. 11 is a binary decision diagram representing a particular rule of a firewall rule set.
- FIG. 12 is a block diagram illustrating an example of a computing system which may be used in implementing embodiments of the present disclosure.
- Implementations of the present disclosure involve a system and/or method for modeling a firewall device function such that the model may be used with software based analysis and other formal analysis methods.
- firewall and “firewall device” throughout this document refers to OSI Layer 3 network devices (such as routers, firewalls, and switches) and functions associated with such devices.
- the system and/or method includes converting one or more rules of the firewall function into a string of representative bits, creating a binary decision diagram or other decision diagram from the converted rules of the firewall policy, creating a spanning graph for the firewall or firewall policy and collapsing or simplifying the spanning graph to a behavior group that illustrates the pathways through the firewall for a communication packet.
- This system and/or method allows for the understanding of a firewall transfer function such that the policy can be replicated among various firewalls in the network at issue.
- the system provides several uses when applied to firewalls in a network. For example, network trace analysis for understanding how a packet will traverse through the firewall device without physically sending the packet is provided.
- a packet space of each possible packet instance in the form of a Firewall Policy Diagram may traverse the network to understand what will make it from point A to point B.
- One such Firewall Policy Diagram is described in related U.S. patent application Ser. No. 14/209,574, titled “SYSTEM AND METHOD FOR MODELING A NETWORKING DEVICE POLICY” to Clark and filed on Mar. 13, 2014, the entirety of which is incorporated by reference herein. Further, logical comparisons of firewall vendor implementations are possible.
- firewalls are configured to behave the exact same way but are from two different implementations
- modeling the behavior of each vendor in software allows formal verification that the resulting address spaces of each ingress and egress are identical between the two implementations being tested. Subsequently, if they are not identical, the Firewall Policy Diagram used to traverse the spanning graph can tell you what is different from what is potentially a large solution space. Also, behavior modeling of specific firewall vendors serves as the basis for automated translation from one vendor configurations to another with certainty of how the device will behave. Finally, such modeling provides for the ability to participate in a larger software modeled network for more comprehensive simulations.
- FIG. 1 illustrates an example network environment 100 that may implement various systems and methods of the present disclosure.
- the network environment 100 includes one or more computing devices 102 (which collectively could form a local area network), a firewall 104 and a wide area network 106 , such as the Internet.
- the computing device 102 may include any type of computing devices, including but not limited to a personal computing devices such as a personal computer, a laptop, a personal digital assistant, a cell phone, and the like and one or more routing devices, such as a server, a router, and the like.
- the computing devices 102 may include any type of device that processes one or more communication packets.
- the wide area network 106 may include one or more other computing or routing devices.
- the Internet is one example of a wide area network 106 , but any type of wide area network comprising one or more computing devices is contemplated.
- the firewall 104 is in communication between the wide area network 106 and the computing device 102 and operates to analyze and potentially filter communication packets transmitted between the networks. The operation of the firewall 102 is described in more detail below.
- One of ordinary skill in the art will recognize the various ways and communication protocols through which the computing devices 102 can connect to the firewall 104 and the firewall can connect to the wide area network 106 for communication between the networks. For simplicity, the various ways for connecting the components of the network environment 100 are omitted.
- the firewall 104 allows the two networks 102 , 106 to communicate through the transfer of communication packets, while securing the private network behind the firewall.
- the typical placement of a firewall 104 is at the entry point into a network 102 so that all traffic passes through the firewall to enter the network.
- the traffic that passes through the firewall 102 is typically based on existing packet-based protocols, and a packet can be thought of as a tuple with a set number of fields.
- a packet may include such fields as a source/destination IP address, port number, and/or a protocol field, among other fields.
- a firewall 102 typically inspects or analyzes each packet that travels through it and decide if it should allow the packet to pass through the firewall based on a sequence of rules pertaining to the values of the one or more fields in the packet.
- a packet may include a source IP address may be 10.2.0.1 and destination IP address may be 192.168.1.1.
- a firewall rule may utilize those values to determine whether the packet is allowed into the network 102 or denied.
- the firewall 104 may determine any packet with a source IP address of 10.2.0.1 is denied entry into the network 102 .
- the decision portion of a rule determines what happens if the value matches to a true evaluation by matching a field to a condition value and determining if the matching is true.
- the rule then typically employs an accept or deny action on the packet, with the possibility of additional actions, such as an instruction to log the action. However, for the purpose of this disclosure, only the case of accept or deny is discussed herein for simplicity.
- a firewall policy is generally made up of an ordered list of these rules such that as a packet is processed by the firewall, the firewall attempts to match some aspect of the packet to the rules one rule at a time, from beginning of the rule list to the end.
- Matching the packet means that the firewall evaluates a packet based on the fields in the rule tuple to determine if the fields match the values identified in the rule.
- the rule does not necessarily need to contain a value for all possible fields and can sometimes contain an “any” variable in a field to indicate that the rule is a “do not care” condition for that variable.
- these rules are processed in order until the firewall finds a match and takes the appropriate action identified by the decision portion of the rule.
- firewalls filter communications based on a local security policy applied to each communication packet entering the firewall
- many firewall vendors have continued to increase the scope of what defines a firewall.
- Many modern firewalls typically include a combination of router, network address translation (NAT), and filtering capabilities.
- NAT network address translation
- each of these sub-components may be broken down further into other elements such as: virtual routers, embedded NAT inside of rules, and multiple filtering policies applied at different places. Therefore, to obtain an abstraction of a firewall function, these capabilities are also represented so that accurate results may be computed.
- FIG. 2 is an example of one such access control table for a firewall interface illustrating a rule set of a firewall 104 for a particular network 102 .
- the rule set 200 of FIG. 2 includes five rules, numbered in the far right column 202 of the table.
- Column 204 indicates the action taken for each of the rules when the conditions of the rules are met and columns 206 - 216 provide the identifiers or portions of the packet that define the packet for each individual rule, otherwise known as the predicate of the rule.
- the rule set 200 either provides for allowing or denying the packet into the network when the predicate matches a received packet.
- other actions may also be taken by the firewall, such as logging.
- the predicate portion of the rules of the rule set 200 includes columns 206 - 216 .
- column 206 establishes a source address or range of source addresses for each rule.
- rule 1 of the rule set applies to packets with a source address of 192.168/16
- rule 2 applies to packets with a source address outside of 192.168/16.
- column 208 includes a destination address for each particular rule.
- rule 1 applies for a packet with a destination packet outside of 192.168/16.
- Column 210 designates a type of communication protocol for each rule in the rule set
- column 212 designates a source port number for each rule
- column 214 designates a destination port number for each rule
- column 216 designates a flag state for each rule.
- a rule set may consider any aspect of a communication packet as a predicate for the rules 202 in the rule set.
- a firewall 104 receives a communication packet from the wide area network 106 or the local area network 102 and compares portions of the communication packet to the rules 202 in the rule set 200 of the firewall. Further, these rules are generally processed in order until the firewall finds a match and takes the appropriate action identified by the decision portion 204 of the rule.
- the firewall 104 compares the source address 206 , destination address 208 , protocol 210 , source portal identifier 212 , destination portal identifier 214 and flag state 216 of the communication packet to the corresponding column 206 - 216 entry for rule 1 of the rule set.
- the firewall 104 takes the action described in column 204 for that particular rule. In this case, the packet would be allowed by the firewall 104 . However, if one or more of the communication packet portions do not match the corresponding entry in the predicate columns 206 - 216 , then the firewall 104 moves to the next rule (in this case rule 2) and performs the same operations. The firewall 104 continues in this manner until a rule is found in the rule set 200 that matches the predicates of the packet. For example, as shown in the rule set 200 , if the packet does not match the predicates for rules 1-4, rule 5 includes a deny action for all predicates.
- a route can be defined as a simple one packet rule with a decision being the egress interface (or through which port the packet is transmitted).
- the one packet of the traffic being processed is the destination.
- the destination can be identified as an IP Address, address range, or Classless Inter-Domain Routing (CIDR) format. Therefore, in a similar manner as security rules discussed above, the solution space can be split as the traffic is processed. Traffic is matched from top to bottom in the routing table.
- FIG. 3 is an example of a routing table 300 based on the routes through the firewall. Similar to the processing of the packet discussed above, the firewall may determine the egress port for any incoming communication packet by stepping through the routing table from top to bottom.
- the routing table 300 would match the destination address in column 304 to the second rule in column 302 in the table and send traffic out of egress port labeled as “eth1” (as designated in column 306 ).
- NAT Network Address Translation
- the NAT feature allows private and public IP addresses to communicate.
- Some non-routable address formats include 10.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The reasoning for this is to allow private networks that do not communicate directly to other private networks to share these address formats without fear of collision. Therefore, the NAT feature provides the means for two private networks with colliding address space to communicate through a border device, like a firewall.
- NAT feature Another consideration behind a NAT feature is that public Internet service providers typically charge for each public address and have a finite number available to them. Therefore for flexibility and cost savings, using a one to many relationship from external to internal outbound traffic is advantageous to an organization such that the border device looks like one device to the outside world but in reality is hiding many private hosts. Further, a NAT feature can be used is to provide a layer of security to the devices in the private network. Disguising the true location of secure resources an organization provides one more level of security to the organizations assets.
- NAT implementation is typically performed through a translation table similar to that described above for routes and policies of the firewall.
- FIG. 4 is an example of one such NAT translation table.
- inbound traffic to the firewall is matched to an entry (either source or destination address) in the table to be translated to another address on the egress side.
- the firewall device then keeps track of that conversation in order for response packets to have the reverse translation applied and arrive at the appropriate destination.
- the translation table 400 would match the destination address in column 404 to the first rule in column 402 in the table and translate the address to address 74.125.228.39 (as designated in column 406 ).
- SNAT source address translation
- DNAT destination address translation
- PAT port translation
- this sort of translation may occur on the packet being processed through the firewall.
- this is an example of a hide translation where the outgoing packet source address will assume the address of the egress interface, making the packet appear to have originated from the firewall and subsequently hiding the true origination.
- the response when the response is seen by the firewall, it may reverse the translation and send the traffic to the originating host (the intended recipient).
- FIG. 5 is a flowchart illustrating one method for modeling the behavior or communication paths through a firewall.
- the operations are performed by a firewall device or computing device associated with a firewall and can be provided to an administrator of the firewall device or a related network to aid the administrator in managing the firewall function for a network.
- a firewall device or computing device associated with a firewall can be provided to an administrator of the firewall device or a related network to aid the administrator in managing the firewall function for a network.
- the operations of the flowchart of FIG. 5 may provide a summary of the behavior of the firewall that may be replicated to other firewall devices in the network, even to firewall devices that are of a different vendor.
- the system determines the one or more behavior rules for the firewall function.
- the predicate defines the particulars of a communication packet that determine when a rule is applied, such as the source address, destination address, source port and destination port of the packet.
- the actions that occur when the predicate matches are accept, deny or next action; with two additional state transition operators: translate and egress interface.
- an action may be applied (accept, deny, or next), but one or more of the state transition operators may be applied.
- one or more behavior groups may be constructed from the grouping of the behavior rules of the abstracted firewall.
- a behavior group is a representation of a set of behavior rules that are typically processed top to bottom such that a first matching predicate for a particular individual packet performs the associated action.
- the behavior group may model a particular routing behavior or a security policy behavior such that corresponding routes or security rules are in that group may potentially be processed as one entity.
- the use of behavior groups simplifies the represented firewall device of a spanning graph into smaller, more global rules.
- behavior groups may possess three actions: accept, deny and default. These actions may be linked to the next group in the spanning graph or potentially to the egress interface of the firewall.
- accept action will be applied to a traversing packet when the packet has matched a behavior rule predicate and the related action was accept.
- deny action will follow the same logic but go to the deny path.
- the behavior group default action will be applied if no behavior rule predicate matched the packet.
- FIG. 6A illustrates one example of a spanning graph of a firewall device.
- the spanning graph 602 includes two representations of ingress ports (illustrated in FIG. 6A as ingress ports “eth0” 604 and “eth1” 606 ), a representation of a routing behavior group 608 , two representations of security policy behavior groups 610 , 612 , and two representations of egress ports (illustrated in FIG. 6A as ingress ports “eth0” 614 and “eth1” 616 ).
- FIG. 6A illustrates one example of a spanning graph of a firewall device.
- the spanning graph 602 includes two representations of ingress ports (illustrated in FIG. 6A as ingress ports “eth0” 604 and “eth1” 606 ), a representation of a routing behavior group 608 , two representations of security policy behavior groups 610 , 612 , and two representations of egress ports (illustrated in FIG. 6A as ingress ports “
- ingress ports eth0 and eth1 604 , 606 are subjected to the routing behavior group 608 as illustrated by the flow arrows into the routing behavior group.
- the rules contained within the routing behavior group 608 would be applied to communications entering through the ingress ports 604 , 606 .
- the routing behavior group identifies those communications with a destination address of 10.8.2.1 are transmitted to egress port eth1 614 and communications with a destination address of 192.168.10.2 are transmitted to egress port eth0 616 .
- a security policy behavior group 610 , 612 is associated with each of the egress ports 614 , 616 shown in the spanning graph 602 .
- the security policy behavior groups 610 define the communication packets that are accepted by the firewall for each egress port 614 , 616 , among other security policy behavior rules.
- associated with each security policy behavior group 610 , 612 is an accept block 618 , 622 and a deny block 620 , 624 that illustrate the next step in the spanning graph 602 when the communication packet is accepted by the firewall or denied.
- the communication is allowed to pass to the related egress port, as indicated by the accept blocks 618 , 622 .
- the behavior of the firewall's function may be obtained.
- the system may also simplify the spanning graph where applicable.
- the spanning graph may include one or more interface switches that operate to reduce the number of paths through the spanning graph.
- interface switches may be placed in the behavior group model to act on two elements. The first is on inbound interface the traffic passes through the ingress ports. Additional interface switches may be located at the state transition behavior groups that identified the egress interface at some point in the spanning graph.
- FIG. 6B illustrates the spanning graph 602 of FIG. 6A , with an interface switch 652 at the egress port of the spanning graph. As can be seen in the spanning graph 650 of FIG.
- the security policy behavior groups for the egress ports 614 , 616 of the spanning graph are combined into a single security policy behavior group 654 .
- the interface switch 652 determines which egress port 614 , 616 the communication packet is transmitted through.
- the spanning graph 654 may be simplified for easier understanding and traversing.
- a zone in a firewall is typically a grouping of a number of interfaces into a logical area of the network.
- a zone set-up is illustrated in FIG. 9 and discussed in more detail below.
- egress ports eth0 and eth1 may be considered an internal zone while egress ports eth2 and eth3 may be considered in an unsafe zone.
- a vendor may then identify a security policy when the traffic is passing from zone-to-zone and is specific to that zone-to-zone transition. In this example, there may exist a security policy that may be applied if the traffic came in the internal zone and is destined for the unsafe zone. Without an interface switch between the zones, there would be a path for every interface to interface combination, regardless if those interfaces shared the same zones, with the result being duplicated behavior groups and paths. As such, interface switches may be applied to reduce the number of duplicated behavior groups and paths.
- a spanning graph for a firewall device may be created that summarizes the behavior of the firewall transfer function for ease of understanding. Further, the spanning graph allows for simulation of the traffic to be based on interface origination. Also, the spanning graph may act as a way to compare two firewalls types that process traffic differently, but expect the same external results.
- FIG. 7 is an example spanning graph of a firewall function created through the operations described above. As should be appreciated, the spanning graph 702 is an example spanning graph for an example firewall device. A spanning graph for a firewall device may include fewer or more entries in the spanning graph to illustrate the behaviors of the firewall function.
- the spanning graph 702 may include one or more ingress ports (shown in FIG. 7 as “eth0” 704 and “eth1” 706 ingress ports).
- the spanning graph 702 also includes a routing behavior group 708 that receives the communications received on each ingress port 704 , 706 and applies one or more behavior rules that determines a particular ingress/egress port for the destination address of the received communication packets.
- a security policy behavior group 710 is also included in the spanning graph 702 . Similar to the routing behavior group 708 , the security policy behavior group 710 includes one or more behavior rules that define when a communication packet is accepted or denied by the security policy.
- the communication packet is passed to a destination network address translation (DNAT) behavior group 712 , illustrated in FIG. 7 as the arrow from the accept box 714 of the security policy behavior group 710 to the DNAT behavior group.
- DNAT destination network address translation
- the DNAT behavior group 712 contains one or more behavior rules that may translate the destination address for received communication packets.
- the DNAT behavior group 712 of the spanning graph 702 contains the behavior rule that the destination address is hidden for communication packets received intended for address 10.8.2.1, among other behavior rules.
- the spanning graph 702 also includes interface switch 718 that determines which egress port the packet is sent through, and a representation of the egress ports “eth0” 722 and “eth1” 720 .
- the spanning graph 702 is a descriptive graph of the behavior rules and groups for a firewall device such that an analysis of the graph provides insights into the firewall function.
- FIG. 8 illustrates a spanning graph 802 that utilizes virtual routing behavior groups 804 , 806 comprising virtual routing behavior rules.
- zone-to-zone policies may be represented by using an interface switch before selecting the security policy to be processed.
- FIG. 9 illustrates an example spanning graph 902 that utilizes a first interface switch 904 to select the zone policy 908 , 910 and a second interface switch 906 again to select the egress interface in the spanning graph.
- the spanning graph of the firewall function may be used for tracing the behavior of individual packets through the firewall device.
- the spanning graph may be utilized in other respects. For example, utilizing a data structure capable of representing the entire solution space of the behavior group. Such a data structure is referred to herein as a Firewall Policy Diagram (FPD).
- FPD Firewall Policy Diagram
- a Firewall Policy Diagram is a set of data structures and algorithms used to model a communication packet space of N tuples into an entity allowing efficient mathematical operations.
- the FPD forms the base of the behavior modeling engine and allows the fast and efficient manipulation of that solution space. This achieves a complete and thorough understanding of the solution space as it comes in an ingress interface and exits another egress interface, yielding an accurate understanding of what traffic would have passed.
- FIG. 10 is a flowchart illustrating a method for utilizing a Firewall Policy Diagram with a spanning graph abstraction of a firewall device.
- the operations are performed by a firewall device or computing device associated with a firewall and can be provided to an administrator of the firewall device or a related network to aid the administrator in managing the firewall devices in a network.
- a firewall device or computing device associated with a firewall can be provided to an administrator of the firewall device or a related network to aid the administrator in managing the firewall devices in a network.
- FIG. 12 is described in greater detail below with reference to FIG. 12 .
- the computing device translates or represents each rule in the rule set defining the policy of the firewall device into one or more strings of bits.
- a truth table of the rule set can be created.
- a bit string may represent a value for one or more of the predicates associated with a rule in the rule set, such as a string of 32 bits may represent a value in the source address column 206 . In this manner, the values in the source address column can be converted into bit strings for further processing of the rule set.
- bit strings representing any value in the predicate fields of the rules may include any number of bits in the representative bit string.
- only particular predicate values of the rules are converted into bit strings. For example, in one embodiment, only the values of the source address, destination address, protocol, and destination port are converted into bit strings. However, any field included in the packet may be used to analyze and model the rule set of the firewall function.
- a binary decision diagram (BDD) of the rule set is created in operation 1004 for a particular rule or set space.
- a BDD is a diagram that visually represents a truth table of a function.
- An example BDD 1102 is illustrated in FIG. 11 .
- the diagram represents the result of the function depending on the values of the bits represented in the BDD 1102 .
- the BDD 1102 of FIG. 11 illustrates a truth table for a function of an 8-bit string, represented in the table as bits 0 - 7 .
- Each circle in the BDD 1102 represents a bit of the 8-bit string and a result of the function can be determined by following a path down the BDD to a terminal, represented as the squares at the bottom of the BDD. Further, the lines connecting the bits of the BDD 1102 indicate a high or low assertion of the bit. In particular, a solid line connecting two nodes indicates a high assertion of the particular bit and a dotted line indicates a low assertion of the particular bit.
- a program begins at the top of the BDD 1102 and follows the appropriate connecting lines through the BDD based on the values of the bits of the string (either the solid line for a high assertion or a dotted line for a low assertion) until the terminal value is determined.
- the BDD 1102 provides an illustrative diagram of a function of the 8-bit string.
- any type of BDD known or hereafter developed may be utilized by the disclosure described herein.
- an 8-bit string of 11101100 that represents the predicate field of a rule of the rule set of the behavior group.
- the bit string for such a rule would consist of much more bits.
- the 8-bit string mentioned above is used for example purposes herein. Beginning at node “0” 1104 of the BDD 1102 of FIG. 11 , the graph is traversed down the left arrow from the bit “0” circle 1104 as the value of the most significant bit of the string in this case is high, reaching node 1106 of the BDD. Node 1106 represents the value at bit “1” of the string, or the second most significant bit. This bit also includes an asserted value.
- the right arrow from node 1106 of the BDD 1102 is traversed to node 1108 .
- the left arrow is traversed from node 1108 to node 1110 (as a solid line represents an assertion at the bit associated with the particular node).
- a low or unasserted value at bit 3 traverses from node 1110 to node 1112 .
- Continuing through the 8-bit string in this manner traverses from node 1112 to node 1114 and from node 1114 to node 1116 .
- bit position 6 Because the value at bit position 6 is low or unasserted, bit position 7 (or the least significant bit of the string) is ignored and the resulting value of “1” or high 1118 is the output of the represented function.
- the BDD may be traversed to determine the function result of any combination of bits in the eight bit string.
- the BDD 1102 is a representation of an eight bit function corresponding to the example 8-bit string that represents the predicate field of a rule of the rule set of the firewall behavior group.
- the BDD 1102 of FIG. 11 is merely an example of a BDD. It should be appreciated that such a diagram may be implemented for one or more bit strings of any length.
- the bit string representations of the predicates of the rules of the rule set are converted in a BDD 1102 that represents the rule set.
- the 32 bit string representing the source address, the 32 bit string representing the destination address, the eight bits representing the protocol type and the 16 bits representing the destination port may be combined into a function and used to create a BDD 1102 that represents each rule of the rule set of the behavior group.
- the BDD graph of the potential traffic space is used to walk through the spanning graph illustrating the firewall device.
- the spanning graph is walked from an ingress port representation to an egress port representation with the FPD splitting and mutating as each behavior group is processed until it reaches the egress interface leaf.
- the FPD provides a mechanism through which the spanning graph can be walked to arrive at an egress port.
- each leaf FPD result is OR'd or otherwise combined together to produce the final FPD at that egress leaf representing an accurate space of what traffic can pass through the firewall and out of that interface.
- the spanning graph of a firewall device may be utilized with a Firewall Policy Diagram to obtain the behavior of the firewall device.
- an understanding of the firewall behavior may be obtained faster than through a straight-forward walking through the policy.
- attempting to match an incoming packet to the behavior rules as a firewall is a linear method, one behavior rule at a time to one packet at a time. While this is straightforward, it is also performance prohibitive as the full testing of a firewall configuration requires 2 88 ⁇ br, where br is the number of behavior rules that exist in the device and the 2 88 is an example solution space represented by a BDD or FPD. Larger solution spaces would simply increase the complexity of the analysis.
- the processing time may now be bound to the number of decisions that must be made as opposed to the number of behavior rules. This will be substantially smaller than the number of rules and in most cases be considered constant time.
- a behavior group formed from a single security policy of a firewall containing 1,000 security rules. Each security has one of two decisions, accept or deny. Thus, the linear time processing would put the cost at 2 88 ⁇ 1,000.
- the behavior group as two FPDs, one for the accept traffic and one for the deny traffic, the results become 2 88 ⁇ 2.
- we can make the entire operation constant by modeling the solution space as a FPD as well, replacing 2 88 with a constant 88 thus making it a constant time operation to know what is an accept and what is a deny and follow the paths appropriately.
- FIG. 12 illustrates a computer system 800 capable of implementing the embodiments described herein.
- the computer system 1200 described in relation to FIG. 12 may be a computing system, such as a desktop or laptop computer with one or more software programs stored thereon for performing the operations described above.
- the computer system (system) includes one or more processors 1202 - 1206 .
- Processors 1202 - 1206 may include one or more internal levels of cache (not shown) and a bus controller or bus interface unit to direct interaction with the processor bus 1212 .
- Processor bus 1212 also known as the host bus or the front side bus, may be used to couple the processors 1202 - 1206 with the system interface 1214 .
- Processors 1202 - 1206 may also be purpose built for processing one or more computer-readable instructions.
- System interface 1214 may be connected to the processor bus 1212 to interface other components of the system 1200 with the processor bus 1212 .
- system interface 1214 may include a memory controller 1218 for interfacing a main memory 1216 with the processor bus 1212 .
- the main memory 1216 typically includes one or more memory cards and a control circuit (not shown).
- System interface 1214 may also include an input/output (I/O) interface 1220 to interface one or more I/O bridges or I/O devices with the processor bus 1212 .
- I/O controllers and/or I/O devices may be connected with the I/O bus 1226 , such as I/O controller 1228 and I/O device 1230 , as illustrated.
- I/O device 1230 may also include an input device (not shown), such as an alphanumeric input device, including alphanumeric and other keys for communicating information and/or command selections to the processors 1202 - 1206 .
- an input device such as an alphanumeric input device, including alphanumeric and other keys for communicating information and/or command selections to the processors 1202 - 1206 .
- cursor control such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to the processors 1202 - 1206 and for controlling cursor movement on the display device.
- System 1200 may include a dynamic storage device, referred to as main memory 1216 , or a random access memory (RAM) or other computer-readable devices coupled to the processor bus 1212 for storing information and instructions to be executed by the processors 1202 - 1206 .
- Main memory 1216 also may be used for storing temporary variables or other intermediate information during execution of instructions by the processors 1202 - 1206 .
- System 1200 may include a read only memory (ROM) and/or other static storage device coupled to the processor bus 1212 for storing static information and instructions for the processors 1202 - 1206 .
- ROM read only memory
- FIG. 12 is but one possible example of a computer system that may employ or be configured in accordance with aspects of the present disclosure.
- the above techniques may be performed by computer system 1200 in response to processor 1204 executing one or more sequences of one or more instructions contained in main memory 1216 . These instructions may be read into main memory 1216 from another machine-readable medium, such as a storage device. Execution of the sequences of instructions contained in main memory 1216 may cause processors 1202 - 1206 to perform the process steps described herein. In alternative embodiments, circuitry may be used in place of or in combination with the software instructions. Thus, embodiments of the present disclosure may include both hardware and software components.
- a machine readable medium includes any mechanism for storing information in a form (e.g., software, processing application) readable by a machine (e.g., a computer). Such media may take the form of, but is not limited to, non-volatile media and volatile media. Non-volatile media includes optical or magnetic disks. Volatile media includes dynamic memory, such as main memory 1216 .
- Machine-readable medium may include, but is not limited to, magnetic storage medium (e.g., floppy diskette); optical storage medium (e.g., CD-ROM); magneto-optical storage medium; read only memory (ROM); random access memory (RAM); erasable programmable memory (e.g., EPROM and EEPROM); flash memory; or other types of medium suitable for storing electronic instructions.
- magnetic storage medium e.g., floppy diskette
- optical storage medium e.g., CD-ROM
- magneto-optical storage medium e.g., magneto-optical storage medium
- ROM read only memory
- RAM random access memory
- EPROM and EEPROM erasable programmable memory
- flash memory or other types of medium suitable for storing electronic instructions.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (19)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/209,771 US9270704B2 (en) | 2013-03-13 | 2014-03-13 | Modeling network devices for behavior analysis |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201361780555P | 2013-03-13 | 2013-03-13 | |
US14/209,771 US9270704B2 (en) | 2013-03-13 | 2014-03-13 | Modeling network devices for behavior analysis |
Publications (2)
Publication Number | Publication Date |
---|---|
US20140282855A1 US20140282855A1 (en) | 2014-09-18 |
US9270704B2 true US9270704B2 (en) | 2016-02-23 |
Family
ID=51534968
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/209,771 Active US9270704B2 (en) | 2013-03-13 | 2014-03-13 | Modeling network devices for behavior analysis |
Country Status (1)
Country | Link |
---|---|
US (1) | US9270704B2 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10812342B2 (en) | 2017-04-28 | 2020-10-20 | Hewlett Packard Enterprise Development Lp | Generating composite network policy |
US10992520B2 (en) | 2014-11-06 | 2021-04-27 | Hewlett Packard Enterprise Development Lp | Network policy graphs |
US11122091B2 (en) | 2019-04-16 | 2021-09-14 | FireMon, LLC | Network security and management system |
Families Citing this family (48)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101563059B1 (en) * | 2012-11-19 | 2015-10-23 | 삼성에스디에스 주식회사 | Anti-malware system and data processing method in same |
US10033693B2 (en) | 2013-10-01 | 2018-07-24 | Nicira, Inc. | Distributed identity-based firewalls |
US9276904B2 (en) | 2014-02-20 | 2016-03-01 | Nicira, Inc. | Specifying point of enforcement in a firewall rule |
US9503427B2 (en) | 2014-03-31 | 2016-11-22 | Nicira, Inc. | Method and apparatus for integrating a service virtual machine |
US9215210B2 (en) | 2014-03-31 | 2015-12-15 | Nicira, Inc. | Migrating firewall connection state for a firewall service virtual machine |
US9906494B2 (en) | 2014-03-31 | 2018-02-27 | Nicira, Inc. | Configuring interactions with a firewall service virtual machine |
US9825913B2 (en) | 2014-06-04 | 2017-11-21 | Nicira, Inc. | Use of stateless marking to speed up stateful firewall rule processing |
US9729512B2 (en) | 2014-06-04 | 2017-08-08 | Nicira, Inc. | Use of stateless marking to speed up stateful firewall rule processing |
US9692727B2 (en) | 2014-12-02 | 2017-06-27 | Nicira, Inc. | Context-aware distributed firewall |
US10606626B2 (en) | 2014-12-29 | 2020-03-31 | Nicira, Inc. | Introspection method and apparatus for network access filtering |
US9467455B2 (en) | 2014-12-29 | 2016-10-11 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9100430B1 (en) | 2014-12-29 | 2015-08-04 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9648036B2 (en) | 2014-12-29 | 2017-05-09 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US10104042B2 (en) * | 2015-01-27 | 2018-10-16 | Red Hat, Inc. | Security policy management |
US9838354B1 (en) * | 2015-06-26 | 2017-12-05 | Juniper Networks, Inc. | Predicting firewall rule ranking value |
US9755903B2 (en) | 2015-06-30 | 2017-09-05 | Nicira, Inc. | Replicating firewall policy across multiple data centers |
US10324746B2 (en) | 2015-11-03 | 2019-06-18 | Nicira, Inc. | Extended context delivery for context-based authorization |
US10348685B2 (en) | 2016-04-29 | 2019-07-09 | Nicira, Inc. | Priority allocation for distributed service rules |
US10135727B2 (en) | 2016-04-29 | 2018-11-20 | Nicira, Inc. | Address grouping for distributed service rules |
US11171920B2 (en) | 2016-05-01 | 2021-11-09 | Nicira, Inc. | Publication of firewall configuration |
US11425095B2 (en) | 2016-05-01 | 2022-08-23 | Nicira, Inc. | Fast ordering of firewall sections and rules |
US11082400B2 (en) | 2016-06-29 | 2021-08-03 | Nicira, Inc. | Firewall configuration versioning |
US11258761B2 (en) | 2016-06-29 | 2022-02-22 | Nicira, Inc. | Self-service firewall configuration |
US10938837B2 (en) | 2016-08-30 | 2021-03-02 | Nicira, Inc. | Isolated network stack to manage security for virtual machines |
US9762619B1 (en) | 2016-08-30 | 2017-09-12 | Nicira, Inc. | Multi-layer policy definition and enforcement framework for network virtualization |
US10193862B2 (en) | 2016-11-29 | 2019-01-29 | Vmware, Inc. | Security policy analysis based on detecting new network port connections |
US10715607B2 (en) | 2016-12-06 | 2020-07-14 | Nicira, Inc. | Performing context-rich attribute-based services on a host |
US10803173B2 (en) | 2016-12-22 | 2020-10-13 | Nicira, Inc. | Performing context-rich attribute-based process control services on a host |
US10581960B2 (en) | 2016-12-22 | 2020-03-03 | Nicira, Inc. | Performing context-rich attribute-based load balancing on a host |
US10805332B2 (en) | 2017-07-25 | 2020-10-13 | Nicira, Inc. | Context engine model |
US10812451B2 (en) | 2016-12-22 | 2020-10-20 | Nicira, Inc. | Performing appID based firewall services on a host |
US10802858B2 (en) | 2016-12-22 | 2020-10-13 | Nicira, Inc. | Collecting and processing contextual attributes on a host |
US11032246B2 (en) | 2016-12-22 | 2021-06-08 | Nicira, Inc. | Context based firewall services for data message flows for multiple concurrent users on one machine |
US10778651B2 (en) | 2017-11-15 | 2020-09-15 | Nicira, Inc. | Performing context-rich attribute-based encryption on a host |
US10652283B1 (en) * | 2017-12-06 | 2020-05-12 | Amazon Technologies, Inc. | Deriving system architecture from security group relationships |
CN108092979B (en) * | 2017-12-20 | 2021-05-28 | 国家电网公司 | Firewall policy processing method and device |
US10802893B2 (en) | 2018-01-26 | 2020-10-13 | Nicira, Inc. | Performing process control services on endpoint machines |
US10862773B2 (en) | 2018-01-26 | 2020-12-08 | Nicira, Inc. | Performing services on data messages associated with endpoint machines |
TWI844586B (en) * | 2018-11-26 | 2024-06-11 | 美商阿爾克斯股份有限公司 | Logical routing system comprising disaggregated network elements and method thereof |
US11310202B2 (en) | 2019-03-13 | 2022-04-19 | Vmware, Inc. | Sharing of firewall rules among multiple workloads in a hypervisor |
US11539718B2 (en) | 2020-01-10 | 2022-12-27 | Vmware, Inc. | Efficiently performing intrusion detection |
US11283830B2 (en) * | 2020-03-19 | 2022-03-22 | Cisco Technology, Inc. | Protecting device classification systems from adversarial endpoints |
US20210409376A1 (en) * | 2020-06-30 | 2021-12-30 | Vmware, Inc. | Firewall rule statistic mini-maps |
US11108728B1 (en) | 2020-07-24 | 2021-08-31 | Vmware, Inc. | Fast distribution of port identifiers for rule processing |
US11875172B2 (en) | 2020-09-28 | 2024-01-16 | VMware LLC | Bare metal computer for booting copies of VM images on multiple computing devices using a smart NIC |
US11995024B2 (en) | 2021-12-22 | 2024-05-28 | VMware LLC | State sharing between smart NICs |
US11928062B2 (en) | 2022-06-21 | 2024-03-12 | VMware LLC | Accelerating data message classification with smart NICs |
US11899594B2 (en) | 2022-06-21 | 2024-02-13 | VMware LLC | Maintenance of data message classification cache on smart NIC |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020051448A1 (en) * | 2000-08-18 | 2002-05-02 | Mohan Kalkunte | Method and apparatus for filtering packets based on flows using address tables |
US20060195896A1 (en) | 2004-12-22 | 2006-08-31 | Wake Forest University | Method, systems, and computer program products for implementing function-parallel network firewall |
US20060218280A1 (en) | 2005-03-23 | 2006-09-28 | Gouda Mohamed G | System and method of firewall design utilizing decision diagrams |
US20060294577A1 (en) | 2005-06-15 | 2006-12-28 | The Board Of Regents, The University Of Texas System | System and method of resolving discrepancies between diverse firewall designs |
US20070162968A1 (en) * | 2005-12-30 | 2007-07-12 | Andrew Ferreira | Rule-based network address translation |
US20080301765A1 (en) | 2007-05-31 | 2008-12-04 | The Board Of Trustees Of The University Of Illinois | Analysis of distributed policy rule-sets for compliance with global policy |
US7610621B2 (en) | 2004-03-10 | 2009-10-27 | Eric White | System and method for behavior-based firewall modeling |
US20100118871A1 (en) * | 2008-10-15 | 2010-05-13 | Board Of Trustees Of Michigan State University | Systematic approach towards minimizing packet classifiers |
US20100205651A1 (en) | 2007-09-20 | 2010-08-12 | Nec Corporation | Security operation management system, security operation management method, and security operation management program |
US20110213738A1 (en) | 2010-03-01 | 2011-09-01 | Subhabrata Sen | Methods and apparatus to model end-to-end class of service policies in networks |
US8176561B1 (en) | 2006-12-14 | 2012-05-08 | Athena Security, Inc. | Assessing network security risk using best practices |
US20130085978A1 (en) * | 2011-08-02 | 2013-04-04 | Cavium, Inc. | Decision Tree Level Merging |
US20140122791A1 (en) | 2012-10-26 | 2014-05-01 | Cisco Technology, Inc. | System and method for packet classification and internet protocol lookup in a network environment |
US8730967B1 (en) * | 2007-07-09 | 2014-05-20 | Marvell Israel (M.I.S.L) Ltd. | Policy-based virtual routing and forwarding (VRF) assignment |
US20140201804A1 (en) | 2013-01-11 | 2014-07-17 | The Court Of Edinburgh Napier University | Information sharing |
-
2014
- 2014-03-13 US US14/209,771 patent/US9270704B2/en active Active
Patent Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020051448A1 (en) * | 2000-08-18 | 2002-05-02 | Mohan Kalkunte | Method and apparatus for filtering packets based on flows using address tables |
US7610621B2 (en) | 2004-03-10 | 2009-10-27 | Eric White | System and method for behavior-based firewall modeling |
US20060195896A1 (en) | 2004-12-22 | 2006-08-31 | Wake Forest University | Method, systems, and computer program products for implementing function-parallel network firewall |
US20060218280A1 (en) | 2005-03-23 | 2006-09-28 | Gouda Mohamed G | System and method of firewall design utilizing decision diagrams |
US7818793B2 (en) * | 2005-03-23 | 2010-10-19 | The Board Of Regents, University Of Texas System | System and method of firewall design utilizing decision diagrams |
US20060294577A1 (en) | 2005-06-15 | 2006-12-28 | The Board Of Regents, The University Of Texas System | System and method of resolving discrepancies between diverse firewall designs |
US20070162968A1 (en) * | 2005-12-30 | 2007-07-12 | Andrew Ferreira | Rule-based network address translation |
US8176561B1 (en) | 2006-12-14 | 2012-05-08 | Athena Security, Inc. | Assessing network security risk using best practices |
US20080301765A1 (en) | 2007-05-31 | 2008-12-04 | The Board Of Trustees Of The University Of Illinois | Analysis of distributed policy rule-sets for compliance with global policy |
US8730967B1 (en) * | 2007-07-09 | 2014-05-20 | Marvell Israel (M.I.S.L) Ltd. | Policy-based virtual routing and forwarding (VRF) assignment |
US20100205651A1 (en) | 2007-09-20 | 2010-08-12 | Nec Corporation | Security operation management system, security operation management method, and security operation management program |
US20100118871A1 (en) * | 2008-10-15 | 2010-05-13 | Board Of Trustees Of Michigan State University | Systematic approach towards minimizing packet classifiers |
US20110213738A1 (en) | 2010-03-01 | 2011-09-01 | Subhabrata Sen | Methods and apparatus to model end-to-end class of service policies in networks |
US20130085978A1 (en) * | 2011-08-02 | 2013-04-04 | Cavium, Inc. | Decision Tree Level Merging |
US20140122791A1 (en) | 2012-10-26 | 2014-05-01 | Cisco Technology, Inc. | System and method for packet classification and internet protocol lookup in a network environment |
US20140201804A1 (en) | 2013-01-11 | 2014-07-17 | The Court Of Edinburgh Napier University | Information sharing |
Non-Patent Citations (14)
Title |
---|
Al-Shaer et al. Firewall Policy Advisor for Anomally Discovery and Rule Editing, 2003, Springer Science+Business Media Dordrecht, pp. 17-30. |
Al-Shaer, et al. "Modeling and management of firewall policies." Network and Service Management, IEEE Transactions on 1.1 (2004): 2-10. * |
Al-Shaer, et. al. "Design and implementation of firewall policy advisor tools." DePaul University, CTI, Tech. Rep (2002). * |
Gouda et al. Firewall Design: Consistency, Completeness, and Compactness, 2004, IEEE Computer Society, ICDCS'04, pp. 1-8. |
Gouda et al. Structured firewall design, 2006, Elsevier B.V., Computer Networks 51 (2007), pp. 1106-1120. |
Hazelhurst et al. Binary Decision Diagram Representation of Firewall and Router Access Lists, 1998, Conference of the South African Institute of Computer Scientists and Information Technologists-SAICSIT, pp. 1-12. |
Hazelhurst, et. al. "Algorithms for improving the dependability of firewall and filter rule lists." Dependable Systems and Networks, 2000. DSN 2000. Proceedings International Conference on. IEEE, 2000. * |
Liu et al. Diverse Firewall Design, 2008, IEEE Transactions on Parallel and Distributed Systems, vol. 19, No. 9, pp. 1-15. |
Non-Final Office Action regarding U.S. Appl. No. 14/209,574, dated Jun. 12, 2014. |
Paul et al. Design and Implementation of Packet Filter Firewall using Binary Decision Diagram, 2011, IEEE, Proceedings of the 2011 IEEE Student's Technology Symposium, IIT Kharagpur, pp. 17-22. |
Randal E. Bryant, Graph-Based Algorithms for Boolean Function Manipulation, 1986, IEEE Transactions on Computers, vol. C35, No. 8, pp. 677-691. |
U.S. Appl. No. 14/209,574, filed Mar. 13, 2014, Clark et al. |
Yuan et al. FIREMAN: A Toolkit for FIREwall Modeling and ANalysis, 2006, IEEE Symposium on security and Privacy (S&P'06), pp. 1-15. |
Yuan, et al. "Fireman: A toolkit for firewall modeling and analysis." Security and Privacy, 2006 IEEE Symposium on. IEEE, 2006. * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10992520B2 (en) | 2014-11-06 | 2021-04-27 | Hewlett Packard Enterprise Development Lp | Network policy graphs |
US10812342B2 (en) | 2017-04-28 | 2020-10-20 | Hewlett Packard Enterprise Development Lp | Generating composite network policy |
US11122091B2 (en) | 2019-04-16 | 2021-09-14 | FireMon, LLC | Network security and management system |
Also Published As
Publication number | Publication date |
---|---|
US20140282855A1 (en) | 2014-09-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9270704B2 (en) | Modeling network devices for behavior analysis | |
US9578061B2 (en) | System and method for modeling a networking device policy | |
US9100363B2 (en) | Automatically recommending firewall rules during enterprise information technology transformation | |
US8176561B1 (en) | Assessing network security risk using best practices | |
US10051007B2 (en) | Network traffic control device, and security policy configuration method and apparatus thereof | |
Wang et al. | Towards a security-enhanced firewall application for openflow networks | |
Bjørner et al. | Checking cloud contracts in Microsoft Azure | |
Bringhenti et al. | Improving the formal verification of reachability policies in virtualized networks | |
Ranathunga et al. | Case studies of scada firewall configurations and the implications for best practices | |
EP2023567B1 (en) | Managing security rule conflicts | |
CN108667776B (en) | Network service diagnosis method | |
Al-Shaer | Automated firewall analytics: Design, configuration and optimization | |
KR20220125251A (en) | Programmable Switching Device for Network Infrastructures | |
Foley et al. | A firewall algebra for openstack | |
Basile et al. | Inter‐function anomaly analysis for correct SDN/NFV deployment | |
Ranathunga et al. | Malachite: Firewall policy comparison | |
US8495721B1 (en) | Data network security policies | |
Samak et al. | Firecracker: A framework for inferring firewall policies using smart probing | |
Meena et al. | SIPAV-SDN: source Internet protocol address validation for software defined network | |
Clark et al. | Modeling firewalls for behavior analysis | |
Haerens et al. | Investigating the creation of an evolvable firewall rule base and guidance for network firewall architecture, using the normalized systems theory | |
Clark | Firewall policy diagram: Novel data structures and algorithms for modeling, analysis, and comprehension of network firewalls | |
Hanamsagar et al. | Firewall anomaly management: A survey | |
Zhang et al. | A novel method against the firewall bypass threat in OpenFlow networks | |
Sudarsan et al. | Performance Evaluation of Data Structures in implementing Access Control Lists |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: FIREMON, LLC, KANSAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CLARK, PATRICK G.;BRAZIL, JODY;REEL/FRAME:032605/0459 Effective date: 20140404 |
|
AS | Assignment |
Owner name: SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT, CALI Free format text: MEMORANDUM AND NOTICE OF SECURITY INTEREST IN INTELLECTUAL PROPERTY;ASSIGNOR:FIREMON, LLC;REEL/FRAME:035582/0472 Effective date: 20150410 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: WELLS FARGO BANK, NATIONAL ASSOCIATION, AS AGENT, Free format text: SECURITY INTEREST;ASSIGNORS:FIREMON, LLC;IMMEDIATE INSIGHT, INC.;REEL/FRAME:037831/0385 Effective date: 20160225 Owner name: FIREMON, LLC, KANSAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT;REEL/FRAME:037927/0048 Effective date: 20160225 |
|
CC | Certificate of correction | ||
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 4 |
|
AS | Assignment |
Owner name: SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT, CALIFORNIA Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:FIREMON, LLC;IMMEDIATE INSIGHT, INC.;LUMETA CORPORATION;REEL/FRAME:053532/0428 Effective date: 20200818 |
|
AS | Assignment |
Owner name: FIREMON, LLC, KANSAS Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:WELLS FARGO BANK, NATIONAL ASSOCIATION;REEL/FRAME:053806/0338 Effective date: 20200818 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 8 |