Generating an outbound connection security policy based on an inbound connections security policy

Information

  • Patent Application
  • 20070016937
  • Publication Number
    20070016937
  • Date Filed
    July 15, 2005
    19 years ago
  • Date Published
    January 18, 2007
    17 years ago
Abstract
A security system that allows an outbound security policy for the connection security to be automatically derived from an inbound security policy for connection security is provided. The security system for an inbound security policy has security suites that each specify one or more security algorithms. Because the security system offers an outbound security suite that matches an inbound security suite, the computing devices that have the same inbound security policy have matching inbound and outbound security suites.
Description
BACKGROUND

Computing devices are being used to store and transmit vast amounts of sensitive data. Computing devices that are connected to the Internet or other networks (e.g., cellular phone networks) are under constant attack by hackers seeking to obtain or destroy such sensitive data. To ensure the privacy of the sensitive data during both storage and transmission, many different security tools have been implemented to secure such sensitive data. The security tools include application level firewall tools and Internet Protocol (“IP”) security tools. An application level firewall allows restrictions to be placed on the source and destination of data that is transmitted between applications executing on different computing devices. For example, an application level firewall may prevent a computing device that is not authorized to send data to a protected computing device from doing so. The firewall may intercept all data that is sent to the protected computing device and discard the data when it is not from a computing device with an authorized IP address. An application level firewall may also restrict access based on port number associated with an application. The restricting of the users and the computing devices from which a protected computing device can receive data can help prevent malicious attacks by malware that seeks to exploit a vulnerability of a computing device. Such malware may include rootkits, Trojan horses, keystroke loggers, and so on.


IP security tools seek to ensure the identity of computing devices receiving or transmitting data and the privacy of the data while in transit. Authentication is a process to help ensure the identity of a computing device, and encryption and integrity protection are processes to help ensure the privacy and integrity of data. IP security tools typically implement the IPsec protocols as defined by RFC 1826 of the Internet Engineering Task Force (“IETF”) entitled “IP Authentication Header (AH)” and by RFC 1827 of the IETF entitled “IP Encapsulating Security Payload (ESP).” The AH protocol is used to provide security services such as connectionless integrity and data origin authentication of IP data. The security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a security gateway and a host. The ESP protocol is designed to provide a mix of security services alone or in combination with the AH protocol. The ESP protocol can be used to provide confidentiality, data origin authentication, and connectionless integrity. The AH and ESP protocols allow data to be transmitted securely between computing devices. The IPsec protocols may use RFC 2409 of the IETF entitled “Internet Key Exchange Protocol” to exchange keys between a pair of communicating devices.


Although tools that implement firewalls and IPsec can help ensure data security of the sensitive data, the configuring of firewalls and IPsec tools can be both difficult and tedious. Typically, such configuration is performed by security personnel of the enterprise who seek to establish a security policy for the enterprise. Security policy may use firewall rules and IPsec or connection rules to define how computing devices of the enterprise communicate with other computing devices both internal and external to the enterprise. Security personnel typically use a firewall tool to define the firewall rules and use an IPsec tool to define the IPsec rules. Security personnel need to coordinate the firewall rules and the IPsec rules to ensure that they are consistent and correctly implement the desired security policy of the enterprise. It can be particularly difficult for security personnel to configure an IPsec tool to implement a security policy because of the complexity of IPsec, because Ipsec terminology can be confusing and inconsistent, and because many decisions need to be made by security personnel. Moreover, because firewall and IPsec are overlapping technologies, it is easy for security personnel to be confused over how to implement an enterprise security policy. As a result, the implementations of security policies of many enterprises may not provide the desired level of security, which leaves the computing devices of the enterprise vulnerable to attack.


IPsec security policies are further difficult to implement because they require that the outbound security policy of an outbound device be symmetric with the inbound security policy of an inbound device. In particular, a rule and crypto suite of security algorithms of an outbound security policy needs to match a rule and a crypto suite of security algorithms of an inbound security policy. Since selecting of security algorithms for security policies can be both tedious and complex, it can be difficult for administrators to establish matching inbound and outbound security policies.


SUMMARY

A security system that allows an outbound security policy for the connection security to be automatically derived from an inbound security policy for connection security is provided. The security system for an inbound security policy has security suites that each specifies one or more security algorithms. Once the inbound security policy is distributed to the computing devices of an enterprise, the security system can use the security suites of the inbound security policy as the basis of the security suites for the outbound security policy of the computing devices. Because each computing device offers an outbound security suite that matches the same inbound security suite that is distributed to the computing devices of an enterprise, those computing devices have matching inbound and outbound security suites.


A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and/or a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules. The security system ensures that the firewall rules and the connection rules are consistent. The security system can also generate firewall rules with knowledge of connection rules because the security rule specifies connection security.


This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.




BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is an overview display page in one embodiment.



FIG. 2 is a display page that illustrates the establishing of a default policy for the domain profile in one embodiment.



FIG. 3 is a display page that illustrates the establishing of crypto suites for key exchange in one embodiment.



FIG. 4 is a display page that illustrates the setting of security algorithms for key exchange crypto suites in one embodiment.



FIG. 5 is a display page that illustrates the setting of crypto suites for data protection in one embodiment.



FIG. 6 is a display page that illustrates the setting of security algorithms for data protection crypto suites in one embodiment.



FIG. 7 is a display page that illustrates the setting of authentication methods in one embodiment.



FIG. 8 is a display page that illustrates inbound exceptions to the default security policy in one embodiment.



FIG. 9 is a display page that illustrates the setting of general properties for inbound exceptions in one embodiment.



FIG. 10 is a display page that illustrates the setting of users and computers properties for inbound exceptions in one embodiment.



FIG. 11 is a display page that illustrates the setting of protocols and ports for inbound exceptions in one embodiment.



FIG. 12 is a display page that illustrates the setting of the address scope to which an inbound exception applies in one embodiment.



FIG. 13 is a display page that illustrates the setting of advanced attributes of an inbound exception in one environment.



FIG. 14 is a display page that illustrates the outbound exceptions to the profiles in one embodiment.



FIG. 15 is a block diagram that illustrates data structures of the security system in one embodiment.



FIG. 16 is a block diagram that illustrates components of the security system in one embodiment.



FIG. 17 is a flow diagram that illustrates the processing of the auto-generate connection security rules component in one embodiment.



FIG. 18 is a flow diagram that illustrates the processing of the set 5-tuple component in one embodiment.



FIG. 19 is a flow diagram that illustrates the processing of the process remote user authorization list component in one embodiment.



FIG. 20 is a flow diagram that illustrates the processing of the set action component in one embodiment.



FIG. 21 is a flow diagram that illustrates the processing of the set matching security suites component in one embodiment.



FIG. 22 is a flow diagram that illustrates the processing of the set non-matching security suites component in one embodiment.



FIG. 23 is a flow diagram that illustrates the processing of a component to establish an outbound security policy for a connection security in one embodiment.



FIG. 24 is a flow diagram that illustrates the processing of the component to establish a connection security policy based on default security suites in one embodiment.



FIG. 25 is a flow diagram that illustrates the processing of a component that automatically generates security suites for main mode of IPsec in one embodiment.




DETAILED DESCRIPTION

A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. In one embodiment, the security system provides a user interface through which a user can define a security rule that specifies a firewall policy and/or a connection policy. For example, the security rule may specify a port through which inbound traffic may be received from a certain computing device and further specifies that traffic received through that port should be encrypted. After the security rule is specified, the security system automatically generates a firewall rule, a connection rule, or a combination of one or more firewall rules and connection rules to implement the security rule. For example, the firewall rule restricts inbound traffic on that port to a computing device with a specified IP address, and the connection rule specifies that inbound traffic to that port and from the specified IP address is to be encrypted. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules. Because the security system automatically generates both the firewall rules and the connection rules that form a higher-level security rule, it can ensure that the firewall rules and the connection rules are consistent. Moreover, since the security system generates firewall rules with knowledge of connection rules, the firewall rules can be based on information that is not normally available to a firewall. In this way, an administrator can rely on the security system to establish consistent firewall rules and connection rules that implement the security policy of an enterprise as expressed by high-level security rules.


In one embodiment, the security system allows a user to establish security rules, also referred to as authenticated firewall rules, that each define a firewall action, conditions under which the action is to be taken, and connection security. The conditions may specify a direction of traffic, the identity of the local application or local service, and a local and a remote address and port, protocol, users and user groups, computers and computer groups, interface types (e.g., wireless LAN), and so on. For example, an authenticated firewall rule may have conditions that specify a local application and remote IP address and port of a computing device. When data directed to that application is received from a computing device with that IP address and port, the conditions of the rule are satisfied and the action of the rule is taken. For example, the action may be to allow the data to be sent to the application or to block the data from being sent to the application. The connection security of the authenticated firewall rule may indicate that the traffic from that remote IP address and port sent to the local application is to be encrypted and have its integrity protected. The security system generates connection security rules to implement the connection security of an authenticated firewall rule. In one embodiment, the security system generates connection security rules from the authenticated firewall rules, but uses the authenticated firewall rules directly as firewall rules. Thus, the term “authenticated” in “authenticated firewall rules” indicates that firewall rules have been augmented with connection security information from which the security system can generate connection security rules (e.g., IPsec rules).


In one embodiment, the security system may provide a default security suite for use in automatically generating connection security rules. The security system may provide default security suites for both the main mode (“phase I”) and the quick mode (“phase II”) of the IPsec protocol, and for key exchange with the IPsec protocol. A security suite specifies a set of security algorithms to be used by the IPsec protocol. As used herein, a data protection crypto suite may indicate that the ESP protocol is to use SHA-256 for integrity protection and 3DES for encryption. A data protection crypto set may include multiple crypto suites of integrity algorithms and encryption algorithms along with a priority so that an IPsec engine can negotiate which crypto suite to use when communicating with another computing device. Because the security system provides these default security suites, an administrator can specify a security policy that includes connection security rules without having to specify integrity protection algorithms and encryption algorithms. An authentication set of the main mode may specify authentication methods (e.g., Kerberos). A key exchange crypto suite of the main mode may specify a key exchange algorithm (e.g., DH1), an encryption algorithm (e.g., 3DES), and an integrity protection algorithm (e.g., SHA1). An authentication set of the quick mode may specify an authentication method and authentication data. A data protection crypto suite of the quick mode may specify a protocol (e.g., ESP), an encryption algorithm (e.g., 3DES), and an integrity protection algorithm (e.g., SHA1). The security system may allow a user to define additional security suites.


In one embodiment, the security system allows an outbound security policy for connection security to be automatically derived from an inbound security policy for the connection security. The security system for an inbound security policy has security suites that each specifies one or more security algorithms. Once the inbound security policy is distributed to the computing devices of an enterprise, the security system can use the security suites of the inbound security policy as the basis of the security suites for the outbound security policy of the computing devices. For example, the inbound security policy may specify a main mode key exchange crypto suite for IPsec with an integrity algorithm of SHA1, an encryption algorithm of 3DES, and a key exchange algorithm of Diffie-Hellman Group 2. If so, then the security system may offer the same security suite when negotiating an outbound connection. Because each computing device offers an outbound security suite that matches an inbound security suite, the computing devices by definition have matching inbound and outbound security suites. In this way, the computing devices of an enterprise can establish secure connections based on automatically generated outbound security policies. In an alternate embodiment, the security system may automatically generate inbound security policies based on security suites of an outbound security policy. In addition, the security system may automatically augment inbound security policies based on security suites defined for an outbound security policy and augment inbound security policies based on security suites defined for an inbound security policy.


In one embodiment, the security system may provide a security policy for a connection security that is based on default security suites. The security system may define a default security suite for a connection security. For example, a default data protection crypto suite may specify the ESP protocol and include an integrity algorithm of SHA1, and another default data protection crypto suite may specify the ESP protocol and include an integrity algorithm of SHA1 and an encryption algorithm of 3DES. The security system may provide a user interface through which an administrator can select whether the ESP protocol should be based solely on integrity checking or based both on integrity checking and encryption. Based on the selection by an administrator, the security system will automatically use the associated default data protection crypto suite.



FIGS. 1-14 are display pages that illustrate the user interface of the security system in one embodiment. FIG. 1 is an overview display page in one embodiment. Display page 100 includes an overview area 110 provides an overview of current policy defaults and a security policy area 120 provides an introduction to concepts used in the user interface. The overview area includes a domain profile area 111 and a standard profile area 113. The profile areas indicate default policies that that security system implements when generating authenticated firewall rules. The domain profile area specifies a default policy that applies when the computing device is connected to a domain of which it is a member (e.g., LAN of an enterprise), and the standard profile area specifies a default policy that applies when the computing device is not connected to a domain of which it is a member (e.g., via a publicly accessible Internet access point). In this example, the domain profile area indicates that the firewall is enabled, inbound connections are denied or blocked by default, and outbound connections are allowed by default. The domain profile properties button 112 and the standard profile properties button 114 provide access to display pages for modifying the default profile behavior. The security policy area includes a connection security area 121 and a firewall security area 122. The connection security area allows a user to define security suites for use in generating the connection security rules and to create custom connection security rules. The firewall security area allows the user to define authenticated firewall rules, which specify exceptions to the default policies as specified in the domain profile area or standard profile area.



FIG. 2 is a display page that illustrates the establishing of a default policy for the domain profile in one embodiment. Display page 200 includes an inbound connections box 201, an outbound connections box 202, and a settings button 203. The inbound connections box allows the user to establish a default policy of allowing or denying inbound connections. The outbound connections box allows the user to establish a default policy of allowing or denying outbound connections. The settings button allows the user to specify general behavior of the firewall tool such as notifying a user when a program is blocked from accepting inbound connections, allowing a local administrator to create exceptions, and so on.



FIG. 3 is a display page that illustrates the establishing of crypto suites for key exchange in one embodiment. Display page 300 includes radio buttons 301 and 302 and settings button 303 for controlling the exchange of keys during the main mode of IPsec. The radio buttons allow the user to select a standard set of crypto suites that may be defined hierarchically by groups within an enterprise or to specify custom security suites for key exchange. In general, the security policy, such as authenticated firewall rules and security suites, may be defined at various group levels within an enterprise. For example, the entire enterprise may be the highest-level group and various divisions may be lower-level groups. The enterprise security policies may specify the minimum security policy for all computing devices of the enterprise. A division security policy may be a more restrictive policy, for example, because of the highly sensitive nature of the data handled by the computing devices of that division. The security system may establish that the default security policy for a computing device is a combination of the security policies of all the groups to which it hierarchically belongs. The settings button allows a user to customize the default security policy.



FIG. 4 is a display page that illustrates the setting of security algorithms for key exchange crypto suites in one embodiment. Display page 400 includes crypto suite definition area 410 that defines three crypto suites 411-413. Each crypto suite specifies an integrity algorithm, encryption algorithm, and key exchange algorithm. The ordering of the key exchange crypto suites indicates the preference used by the security system in negotiating which key exchange suite to use.



FIG. 5 is a display page that illustrates the setting of crypto suites for data protection in one embodiment. Data protection security includes both integrity protection and encryption. Display page 500 includes radio buttons 501 and 502 and settings button 503 for managing data protection security. The radio buttons allow the user to select and use standard crypto suites or to specify custom crypto suites for data protection. The settings button allows a user to specify a custom crypto suite for data protection.



FIG. 6 is a display page that illustrates the setting of security algorithms for crypto suites for data protection in one embodiment. Display page 600 includes a data integrity area 601 and a data integrity and encryption area 602. The data integrity area specifies crypto suites for data integrity only. Each crypto suite specifies the protocol and the integrity algorithm. The data integrity and encryption area specifies crypto suites for data integrity and encryption. Each crypto suite specifies a protocol, integrity algorithm, and encryption algorithm.



FIG. 7 is a display page that illustrates the setting of authentication methods in one embodiment. Display page 700 includes radio buttons 701-704 and settings button 705. The radio button 701 allows a user to select the default authentication method, which may be based on a hierarchy of authentication methods. Radio buttons 702-704 allow a user to select alternate default authentication methods. The settings button allows a user to specify custom authentication methods.



FIG. 8 is a display page that illustrates inbound exceptions to the default security policy in one embodiment. Display page 800 includes inbound exception area 810 and new inbound exception button 820. The inbound exception area lists inbound exceptions 811-816 to the default security policy. Each inbound exception includes a name, an action, a users, a required encryption, a profile, an additional conditions, an enable, and other fields, which are not shown in this example, that describe the inbound exception. A user uses the new inbound exception button to define or modify an inbound exception. A user modifies an inbound exception by selecting the inbound and then a properties option.



FIGS. 9-13 are display pages that illustrate the defining of inbound exceptions in one embodiment. FIG. 9 is a display page that illustrates the setting of general properties for inbound exceptions in one embodiment. Display page 900 includes a name area 901, a programs area 902, and an action area 903. A user enters the name of the inbound exception in the name area and indicates whether the inbound exception is enabled. A user uses the programs area to specify whether the inbound exception applies to all programs or to a subset of programs as a condition of the authenticated firewall rule. A user uses the action area to specify the action to take when the conditions of the inbound exception are satisfied. The actions include to allow all connections, to allow only secured connections, and to deny connections. When the user indicates to allow only secure connections, then the security system sets an auto-generation flag of the authenticated firewall rule so that the corresponding connection security rule can be automatically generated.



FIG. 10 is a display page that illustrates the setting of users and computers properties for inbound exceptions in one embodiment. Display page 1000 includes a users area 1001 and a computers area 1002. A user enters the names of users or computers, individually or as a group, as a condition of the authenticated firewall rule to restrict the users or computers to which the inbound exception applies.



FIG. 11 is a display page that illustrates the setting of protocols and ports for inbound exceptions in one embodiment. Display page 1100 includes a protocol area 1101, a ports area 1102, and an ICMP area 1103. The protocol area allows a user to specify the protocol as a condition of the authenticated firewall rule to which the inbound exception applies. The port area indicates the local and remote ports as a condition of the authenticated firewall rule to which the inbound exception applies if the protocol is TCP or UDP. The ICMP area allows the user to specify Internet Control Management Protocol parameters as a condition of the authenticated firewall rule when the ICMP protocol is specified.



FIG. 12 is a display page that illustrates the setting of the address scope to which an inbound exception applies in one embodiment. Display page 1200 includes a local address area 1201 and a remote address area 1202. The local address area and remote address area allow the user to specify the local and remote addresses as conditions of the authenticated firewall rule to which the inbound exception applies.



FIG. 13 is a display page that illustrates the setting of advanced attributes of an inbound exception in one environment. Display page 1300 includes a profile area 1301, an interface types button 1302, and a services button 1303. The profile area allows a user to specify to which profiles (i.e., domain and/or standard) as a condition of the authenticated firewall rule the inbound exception applies. The interface types button allows a user to specify the types of interfaces as a condition of the authenticated firewall rule to which the inbound exception applies. The services button allows the user to specify the services as a condition of the authenticated firewall rule to which the inbound exception applies.



FIG. 14 is a display page that illustrates the outbound exceptions to the profiles in one embodiment. Display page 1400 includes an outbound exception list area 1401 that lists the outbound exceptions. The security system provides a user interface that allows a user to create and modify outbound exceptions in much the same way as inbound exceptions are modified.



FIG. 15 is a block diagram that illustrates data structures of the security system in one embodiment. The data structures include security suites 1501-1504 and rules 1506-1507. The data structures may be stored as part of the registry of a host computing device in one embodiment. The security suites 1501 define authentication sets for the main mode of IPsec. Each authentication set identifies an authentication method and authentication data. The security suites 1502 define key exchange crypto suites for the main mode of IPsec. A key exchange crypto suite includes a key exchange algorithm, an encryption algorithm, and an integrity algorithm. The security suites 1503 define the authentication sets for quick mode of IPsec. A authentication set identifies an authentication method and authentication data. The security suites 1504 define the data protection crypto suites for the quick mode of IPsec. The crypto suites include the protocol, encryption algorithm, and integrity algorithm. The connection security rules and the authenticated firewall rules define rules for IPsec and a firewall, respectively. Table 1 defines the fields of the authenticated firewall rules, and table 2 defines the fields of the connection security rules.

TABLE 1#FieldNameField SyntaxIf not presentComments1VersionThe version format is v<Major>.<minor>Rule rejected.The version is mandatory and is the firstfield in the rule string. It is not a namevalue pair, just the field syntax.2ActionActionBlock | Allow | AllowBypassRule rejected.The action field is mandatory.3NameNameThe name can be either a text name or aThis is for display purposes. It isreference into a dll's resource string.different than the registry value name.The dll resource format is: @<dllfilename>,index. The dll filename can bea full path including environmentvariables (% × %).4DirectionDirIn | OutRule rejected.5LocalAppFull path to executableIf neither applica-Path can includeIf both a service andApplicationtion or service isenvironmentapplication arepresent, then thevariables (% × %).specified then the6Local ServiceSvcService Name Short Name or *rule applies to allThe Service SIDrule applies only toapplications andcan be generatedthe service that isservices.from servicerunning inside thename. * indicatesspecified application.all services.This qualifies therule to apply totraffic originatingfrom or received bythe specifiedapplication or service.It is evaluated onlyon the machinedescribed in this ruleby the local address.7Local NetworkIFGUIDIf there are noThe interfaces' guides are defined in stringInterfaceIF, IFType, LA4,values that are found in this pattern:or LA6 fields,HKEY_LOCAL_MACHINE\SOFTWARE\then the ruleMicrosoft\WindowsNT\CurrentVersion\applies to all localNetworkCards\<n>\Service Name <n> is anaddresses andarbitrary integer key.Network Interfaces.8Local NetworkIFTypeTraversal | Wireless | LAN | RASInterfaceType9Local IPv4LA4Single address, subnet or range expressionThe n in the ip subnet syntax is an integerAddressip addressxx.xx.xx.xxin the range 1-32.ip subnetxx.xx.xx.xx/nip address rangexx.xx.xx.xx-xx.xx.xx.xxBroadcastKeyword: BcastMulticastKeyword: MCast10Local IPv6LA6Single address, subnet or range expressionAn IPv6 address can be fully represented,Addressip addressxxxx:xxxx:xxxx:xxxx:or shortened by either removing leading zerosxxxx:xxxx:xxxx:xxxxor zero compression. The n in the ip subnetip subnetxxxx:xxxx:xxxx:xxxx:syntax is an integer in the range 1-128.xxxx:xxxx:xxxx:xxxx/nip address rangexxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx-xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxxBroadcastKeyword: BcastMulticastKeyword: MCast11Remote IPv4RA4Single address, subnet or range expressionIf there are noThe n in the ip subnet syntax must be anAddressip addressxx.xx.xx.xxRemote IPv4 orinteger in the range 1-32.ip subnetxx.xx.xx.xx/nIPv6 Addressip address rangexx.xx.xx.xx-xx.xx.xx.xxfields, then thelocal subnetKeyword: LocalSubnetrule applies to allDNS ServersKeyword: DNSRemote addresses.WINS ServersKeyword: WINSDHCP ServersKeyword: DHCPDefault GatewayKeyword: DefaultGWBroadcastKeyword: BcastMulticastKeyword: MCast12Remote IPv6RA6Single address, subnet or range expressionAn IPv6 address can be fully represented, orAddressip addressxxxx:xxxx:xxxx:xxxx:shortened by either removing leading zerosxxxx:xxxx:xxxx:xxxxor zero compression. The n in the ip subnetip subnetxxxx:xxxx:xxxx:xxxx:syntax is an integer in the range 1-128.xxxx:xxxx:xxxx:xxxx/nip address rangexxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx-xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxxlocal subnetKeyword: LocalSubnetDNS ServersKeyword: DNSWINS ServersKeyword: WINSDHCP ServersKeyword: DHCPDefault GatewayKeyword: DefaultGWBroadcastKeyword: BcastMulticastKeyword: MCast13Local PortLPortSingle port, Range or dynamic RPC port setRule applies to allProtocol = 6 (TCP) or Protocol =Single portInteger: Min = 0,local/remote ports.17 (UDP) is specified else the rule isMax = 65535invalid.Port Range<low bound Integer>-The RPC keyword indicates that the<upper bound Integer>local host's set of open, listening RPCDynamic RPCKeyword: RPCports is dynamically resolved to defineport setthe rule's local port setting when the14Remote PortRPortSingle port, range or dynamic RPC port setpolicy is evaluated.Single portInteger: Min = 0,Max = 65535Port Range<low bound Integer>-<upper bound Integer>15IP ProtocolProtocolip protocol number 0-255Rule applies to allip traffic.16ICMPICMP< type 0-255>:<code 0-255 | * >Rule applies to allIf Protocol = 1 (ICMPv4) or 58ICMP traffic only(IPv6-ICMP) is not present, then theif Protocol = 1presence of this field will result in(ICMPv4) or 58an invalid rule. Both ICMPv4 and(IPv6-ICMP).ICMPv6 share the type and codeparameters but have different values forequivalent type and code pairs.17DescriptionDesc1024 character Unicode stringThis is for display purposes.18ActiveActiveFALSE | TRUEThe rule is enforced.If False then rule is not enforced.19RemoteRMAuthSDDL StringNo authorizationThis authorization check is evaluated byMachineis applied to thethe machine described in this rule by theAuthorizationremote machine.local address, restricting the remotelyListauthenticated machine to those describedin the list. If the remote machine is notpresent in this list, then this rule doesnot allow or block access.20Remote UserRUAuthSDDL StringNo authorizationThis authorization check is evaluated byAuthorizationis applied to thethe machine described in this rule by theListremote user.local address, restricting the remotelyauthenticated user to those described inthe list.If the remote user is not present in thislist, then this rule does not allow orblock access.21SecuritySecurityAuthenticate |Traffic allowedAuthenticate adds the condition that theAuthenticateEncryptunencrypted.specified traffic is IPsec protected.AuthenticateEncrypt adds the condition thatthe specified traffic is IPsec protected andencrypted. NotRequired specifies that thereis no restriction based on IPsec protection.Traffic protected and clear is equally allowed.22EmbeddedEmbedCtx1024 character Unicode stringNo effect on rule.This is ignored by the service. It is usedContextto group rules, such as these firewallservices: Remote Administration or Fileand Printer Sharing, into single conceptspresented in the UI, Netsh and COMAPIs, and to persist address data exactlyas the author inputted it.23PlatformPlatform<PlatformID>:<MajorRule applies to allWindows 2000 = 2.5.0ValidityVersion>:<Minor Version>versions.XP = 2.5.124Auto GenerateAutoGenIPTRUE | FALSEAutoGen is off.If True the engine will attempt tosecgenerate IPsec Rules to cause theIPsec protection this rule requires.














TABLE 2








#
Field
Name
Field Syntax
If not present
Comments




















1
Version

The version format is v<Major>.<minor>
Rule rejected.
The version is mandatory and is the







first field in the rule string. It







is not a name value pair, just the







field syntax.


2
Name
Name
It can be either a text name or a reference

This is for display purposes. It





into a dll's resource string. The dll

is different than the registry





resource format is: @<dll filename>,index.

value name.





The dll filename can be a full path





including environment variables (% × %).


3
Local Network
IF
GUID
The rule applies
The interfaces' guides are defined



Interface


to all Network
in string values that are found in






Interfaces.
this pattern:







HKEY_LOCAL_MACHINE\SOFTWARE\







Microsoft\WindowsNT\







CurrentVersion\NetworkCards\







<n>\ServiceName <n> is an







arbitrary integer key.


4
Local Network
IFType
Traversal | Wireless | LAN | RAS
The rule applies



Interface Type


to all Network






Interfaces.


5
Endpoint 1
EP1_4
Single address, subnet or range expression
If neither EP1_4
The n in the ip subnet syntax














IPv4 Address

ip address
xx.xx.xx.xx
or EP1_6 is
is an integer in the range 1-32.





ip subnet
xx.xx.xx.xx/n
specified, then the
Keywords can only be specified





ip address range
xx.xx.xx.xx-xx.xx.xx.xx
rule applies to any
in either the source or





local subnet
Keyword: LocalSubnet
address.
destination address with the





DNS Servers
Keyword: DNS

exception of Me which can be





WINS Servers
Keyword: WINS

specified in source or





DHCP Servers
Keyword: DHCP

destination when the opposite is





Default Gateway
Keyword: DefaultGW

any other value.





Broadcast
Keyword: Bcast





Multicast
Keyword: MCast





Current Host
Keyword: Me












6
Endpoint 1
EP1_6
Single address, subnet or range expression

An IPv6 address can be fully














IPv6 Address

ip address
xxxx:xxxx:xxxx:xxxx:

represented, or shortened by






xxxx:xxxx:xxxx:xxxx

either removing leading zeros





ip subnet
xxxx:xxxx:xxxx:xxxx:

or zero compression.






xxxx:xxxx:xxxx:xxxx/n

The n in the ip subnet syntax





ip address range
xxxx:xxxx:xxxx:xxxx:

is an integer in the range 1-128.






xxxx:xxxx:xxxx:xxxx-

Keywords can be specified in either






xxxx:xxxx:xxxx:xxxx:

the source or destination address






xxxx:xxxx:xxxx:xxxx

with the exception of Me which can





DNS Servers
Keyword: DNS

be specified in source or destination





WINS Servers
Keyword: WINS

when the opposite is any other value.





DHCP Servers
Keyword: DHCP





Default Gateway
Keyword: DefaultGW





Broadcast
Keyword: Bcast





Multicast
Keyword: MCast





Current Host
Keyword: Me












7
Endpoint 2
EP2_4
Single address, subnet or range expression
If neither EP2_4 or
The n in the ip subnet syntax is an














IPv4 Address

ip address
xx.xx.xx.xx
EP2_6 is specified,
integer in the range 1-32.





ip subnet
xx.xx.xx.xx/n
then the rule
Keywords can only be specified in





ip address range
xx.xx.xx.xx-xx.xx.xx.xx
applies to any
either the source or destination





local subnet
LocalSubnet
address.
address with the exception of Me





DNS Servers
Keyword: DNS

which can be specified in source





WINS Servers
Keyword: WINS

or destination when the opposite





DHCP Servers
Keyword: DHCP

is any other value.





Default Gateway
Keyword: DefaultGW





Broadcast
Keyword: Bcast





Multicast
Keyword: MCast





Current Host
Keyword: Me












8
Endpoint 2
EP2_6
Single address, subnet or range

An IPv6 address can be fully














IPv6 Address

ip address
xxxx:xxxx:xxxx:xxxx:

represented, or shortened by






xxxx:xxxx:xxxx:xxxx

either removing leading zeros





ip subnet
xxxx:xxxx:xxxx:xxxx:

or zero compression.






xxxx:xxxx:xxxx:xxxx/n

The n in the ip subnet syntax





ip address range
xxxx:xxxx:xxxx:xxxx:

must be an integer in the range






xxxx:xxxx:xxxx:xxxx-

1-128.






xxxx:xxxx:xxxx:xxxx:

Keywords can be specified in






xxxx:xxxx:xxxx:xxxx

either the source or destination





local subnet
LocalSubnet

address with the exception of Me





DNS Servers
Keyword: DNS

which can be specified in source





WINS Servers
Keyword: WINS

or destination when the opposite





DHCP Servers
Keyword: DHCP

is any other value.





Default Gateway
Keyword: DefaultGW





Broadcast
Keyword: Bcast





Multicast
Keyword: MCast





Current Host
Keyword: Me












9
Endpoint 1
EP1Port
Single port or dynamic RPC port set
Rule applies to all
Protocol = 6 (TCP) or Protocol =














Port

Single port
Integer: Min = 0,
ports.
17 (UDP) is specified else the






Max = 65535

rule is invalid.





Dynamic RPC
Keyword: RPC

The RPC keyword can only be





port set


specified if the corresponding












10
Endpoint 2
EP2Port
Single port or dynamic RPC port set

source or destination address














Port

Single port
Integer: Min = 0,

is set to Keyword: Me.






Max = 65535

The RPC keyword indicates that





Dynamic RPC
Keyword: RPC

the local host's set of open,





port set


listening RPC ports is dynamically








resolved to define the rule's








local port setting.












11
IP Protocol
Protocol
ip protocol number 0-255
Rule applies to all







ip traffic.


12
Phase I
Auth1Set
GUID
Default Phase I



Authentication


Authentication Set



Set


is used.


13
Phase II
Auth2Set
GUID
No secondary AuthIp



Authentication


authentication is



Set


performed.


14
Phase II
Crypto2Set
GUID
Default Crypto Set



Crypto Set


is used.


15
Embedded
EmbedCtx
1024 character Unicode string
No effect on rule.
This is ignored by the service. It



Context



is used to group rules, such as these







firewall services: Remote







Administration or File and Printer







Sharing, into single concepts presented







in the UI, Netsh, and COM APIs, and







to persist address data as input.


16
Platform
Platform
<PlatformID>:<Major
Rule applies to all
Windows 2000 = 2.5.0 XP = 2.5.1



Validity

Version>:<Minor Version>
versions.


17
Description
Desc
1024 character Unicode string

This is for display purposes.


18
Active
Active
FALSE | TRUE
The rule is enforced.
If False then rule is not enforced.


19
Remote Tunnel
RTunnel4
Single address
Rule does not
There can be no more than one Remote














Endpoint IPv4

ip address
xx.xx.xx.xx
describe a tunnel.
Tunnel Endpoint IPv4 or IPv6 Address



Address




specified per rule. If a rule describes












20
Remote Tunnel

Single address

a tunnel, then the Remote Tunnel














Endpoint IPv6
RTunnel6
ip address
xxxx:xxxx:xxxx:xxxx:

Endpoint is specified.



Address


xxxx:xxxx:xxxx:xxxx












21
Action
Action
SecureServer | DMZ |
Rule rejected.






Secure | DoNotSecure










FIG. 16 is a block diagram that illustrates components of the security system in one embodiment. The security system 1600 includes a user interface component 1601, an authenticated firewall rules store 1602, a connection security rules store 1603, an auto-generate connection security rules component 1604, an ALE component 1605, a transport layer engine 1606, a phase 11 of IPsec component 1607, and a phase I of IPsec component 1608. The user interface component provides the user interface of FIGS. 1-14 and generates and stores the authenticated firewall rules in the authenticated firewall rules store. The user interface component may also store user-defined custom connection security rules in the connection security rules store. The auto-generate connection security rules component executes on a host computer to generate connection security rules from the authenticated firewall rules. The auto-generate connection security rules component is described in detail below. The ALE component performs application layer filtering and enforces the firewall rules of the authenticated firewall rules store and may take into consideration connection security information that may be passed from the transport layer engine. The transport layer engine enforces the connection security rules by invoking the IPsec components.


The computing devices on which the security system may be implemented may include a central processing unit, memory, input devices (e.g., keyboard and pointing devices), output devices (e.g., display devices), and storage devices (e.g., disk drives). The memory and storage devices are computer-readable media that may contain instructions that implement the security system. In addition, the data structures and message structures may be stored or transmitted via a data transmission medium, such as a signal on a communications link. Various communications links may be used, such as the Internet, a local area network, a wide area network, or a point-to-point dial-up connection.


The security system may be implemented in various operating environments that include personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The security system may also be implemented on computing devices such as cell phones, personal digital assistants, consumer electronics, home automation devices, and so on.


The security system may be described in the general context of computer-executable instructions, such as program modules, executed by one or more computers or other devices. Generally, program modules include routines, programs, objects, components, data structures, and so on that perform particular tasks or implement particular abstract data types. Typically, the functionality of the program modules may be combined or distributed as desired in various embodiments.



FIG. 17 is a flow diagram that illustrates the processing of the auto-generate connection security rules component in one embodiment. The component is invoked to generate the connection security rules from the authenticated firewall rules. Each authenticated firewall rule has a flag that indicates whether a corresponding connection security rule should be automatically generated. The user interface component sets the flag for each authenticated firewall rule that it creates. In block 1701, the component selects the next authenticated firewall rule. In decision block 1702, if all the authenticated firewall rules have already been selected, then the component completes, else the component continues at block 1703. In decision block 1703, if the rule indicates to automatically generate a connection security rule, then the component continues at block 1704, else the component loops to block 1701 to select the next authenticated firewall rule. In block 1704, the component creates a connection security rule data structure. In block 1705, the component invokes the set 5-tuple component to establish the local and remote addresses and ports and protocol for the connection security rule. In decision block 1706, if the selected authenticated firewall rule includes a remote user authorization list, then the component continues at block 1707, else the component continues at block 1708. In block 1707, the component invokes the process remote user authorization component which determines whether an authentication suite for users has been defined for phase 11 of IPsec. In block 1708, the component invokes the set action component to set the action for the connection security rule. In block 1709, the component determines whether there is a matching connection security rule that matches either the 5-tuple or the 2-tuple (i.e., source and destination address). In decision block 1710, if a match is found, then the component continues at block 1712, else the component continues at block 1711. In block 1711, the component invokes the set non-matching security suite component to set the authentication method and crypto suites for the connection security rule based on the defaults. In block 1712, the component invokes the set matching security component to set the authentication and crypto suites based on the matching connection security rule. The component then loops block 1701 to select the next authenticated firewall rule.



FIG. 18 is a flow diagram that illustrates the processing of the set 5-tuple component in one embodiment. The component sets the 5-tuple (i.e., local address, local port, remote address, remote port, and protocol) of the connection security rule based on the 5-tuple of the selected authenticated firewall rule. In block 1801, the component retrieves the 5-tuple of the authenticated firewall rule. In decision block 1803, if the local address is unspecified or is a wildcard, then the component sets the local address to point to the host computer in block 1803, else the component continues at block 1804. In decision block 1804, if the remote address is unspecified or a wildcard, then the component sets the remote address to point to any computer in block 1805, else the component continues at block 1806. In block 1806, the component stores the 5-tuple as modified in the connection security rule and then returns.



FIG. 19 is a flow diagram that illustrates the processing of the process remote user authorization list component in one embodiment. The component is invoked to ensure that a phase 11 authentication suite has been defined. In block 1901, the component retrieves the default phase 11 authentication suite. In decision block 1902, if user authentication is specified, then the component returns, else the component fails the generation of the connection security rule.



FIG. 20 is a flow diagram that illustrates the processing of the set action component in one embodiment. The component sets the action to secure when all the conditions can be copied and the authenticated firewall rule applies to both inbound and outbound traffic. Otherwise, the component sets the action to DMZ. A condition such as application name cannot be copied to a connection security rule because the transport layer does not have knowledge of the application to which data is directed. The action of secure indicates that data will be allowed only if it can be sent securely. The action of DMZ indicates that if the data that matches the 5-tuple cannot be sent securely, it will be sent in the clear. However, it may be denied by the ALE layer. In block 2001, the component determines whether all the conditions have been copied. In decision block 2002, if all the conditions have been copied, then the component continues at block 2003, else the component continues at block 2004. In decision block 2003, if the authenticated firewall rule applies to both inbound and outbound traffic (e.g., one rule may apply to inbound traffic and another rule may apply to outbound traffic or a single rule may apply to both inbound and outbound traffic), then the component continues at block 2005, else the component continues at block 2004. In block 2004, the component sets the action to DMZ and returns. In block 2005, the component sets the action to secure and then returns.



FIG. 21 is a flow diagram that illustrates the processing of the set matching security suites component in one embodiment. The component sets the security suites for the connection security rule based on a matching connection security rule. In blocks 2101-2102, the component sets the phase 11 authentication method and crypto suites based on the matching connection security rule. In block 2103, the component gives higher priority to encryption when the rule being created is an inbound rule and returns. The component gives higher priority to the encryption for inbound rule so that the outbound device, which decides on the crypto suite to use during negotiation, will decide upon encryption if its encryption priority is higher than its integrity only priority.



FIG. 22 is a flow diagram that illustrates the processing of the set non-matching security suites component in one embodiment. The component sets in the phase I and phase 11 authentication methods and crypto suites based on the default security suites. In block 2201, the component identifies the default phase I crypto suites. In block 2202, the component identifies the default phase I authentication method. In block 2203, the component identifies the default phase I crypto suites. In decision block 2204, if the authenticated firewall rule indicates authentication only, then in block 2205 the component gives higher priority to the integrity protection. In decision block 2206, if the authenticated firewall rule indicates both authentication and encryption, then the component continues at block 2207, else the component continues at block 2210. In decision block 2207, if the authenticated firewall rule is for inbound only, then the component continues at block 2209, else the component continues at block 2208. In block 2208, the component gives higher priority to integrity protection. In block 2209, the component gives lower priority to integrity protection. In block 2210, the component identifies the default phase 11 authentication method. The component then sets the security suites of the connection security rule based on the identified authentication methods and crypto suites and then returns.



FIG. 23 is a flow diagram that illustrates the processing of a component to establish an outbound security policy for a connection security in one embodiment. The component establishes the outbound security policy based on the security suites of the inbound security policy. In block 2301, the component retrieves an inbound security policy for IPsec that includes security suites. In block 2302, the component identifies the security suites from the inbound security policy. In block 2303, the component negotiates outbound connections based on the identified security suites. In one embodiment, the component may offer multiple security suites when negotiating an outbound connection. The security suites may be ordered based on the complexity of their security algorithms so that preference is given to the least complex security algorithms. The component may also automatically generate security suites based on various combinations of the security algorithms defined in the security suites of the inbound security policy. For example, one security suite may specify an integrity algorithm of SHA1 and an encryption algorithm of 3DES and another security suite may specify an integrity algorithm of SHA-256 and an encryption algorithm of AES-128. In such a case, the component may generate an outbound security suite that specifies an integrity algorithm of SHA1 and an encryption algorithm of AES-128 and an outbound security suite that specifies an integrity algorithm of SHA-256 and an encryption algorithm of 3DES.



FIG. 24 is a flow diagram that illustrates the processing of the component to establish a connection security policy based on default security suites in one embodiment. In block 2401, the component provides default security suites for connection security. The default security suites may implement a data protection mode based on integrity checking only or based on integrity checking and encryption. In block 2402, the component receives a selection of a data protection mode from an administrator. In block 2403, the component negotiates a connection security using the default security suite associated with the selected data protection mode.



FIG. 25 is a flow diagram that illustrates the processing of a component that automatically generates security suites for a main mode of IPsec in one embodiment. The component generates the security suites based on various combinations of the security algorithms defined by either inbound or outbound security suites of a security policy. In block 2501, the component selects the next key exchange algorithm of a security suite. In decision block 2502, if all the key exchange algorithms have already been selected, then the component completes, else the component continues at block 2503. In block 2503, the component selects the next integrity algorithm of a security suite. In decision block 2504, if all the integrity algorithms have already been selected, then the component loops to block 2501 to select the next key exchange algorithm, else the component continues at block 2505. In block 2505, the component selects the next encryption algorithm of a security suite. In decision block 2506, if all the encryption algorithms have already been selected, the component loops to block 2503 to select the next integrity algorithm, else the component continues at block 2507. In block 2507, the component forms a new security suite based on the selected key exchange algorithm, integrity algorithm, and encryption algorithm. The security system can use the newly formed security suite when negotiating an inbound or outbound connection. The component then loops to block 2505 to select the next encryption algorithm.


Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims. Accordingly, the invention is not limited except as by the appended claims.

Claims
  • 1. A method in a device for providing an outbound security policy for outbound connection security, the method comprising: providing an inbound security policy for inbound connection security, the inbound security policy having security suites, each security suite specifying one or more security algorithms; and effecting an outbound security policy by negotiating an outbound connection by offering to secure the outbound connection based on a security suite of the inbound security policy.
  • 2. The method of claim 1 wherein the offering includes offering multiple security suites to secure the outbound connection.
  • 3. The method of claim 2 wherein the multiple security suites are offered in an order based on complexity of their security algorithms.
  • 4. The method of claim 1 wherein the security algorithms include integrity algorithms and encryption algorithms.
  • 5. The method of claim 4 wherein the offering includes offering multiple security suites generated from various combinations of the integrity algorithms and the encryption algorithms.
  • 6. The method of claim 5 wherein the security algorithms include an authentication algorithm.
  • 7. The method of claim 1 including receiving an indication of whether the outbound security policy is to provide integrity checking or integrity checking and encryption.
  • 8. The method of claim 7 including providing a default security suite for integrity checking and a default security suite for integrity checking and encryption.
  • 9. The method of claim 1 wherein the outbound security policy is based on the IP security protocol.
  • 10. A computer-readable medium containing instructions for controlling a computing device for providing a security policy for connection security, the method comprising: providing default security suites for connection security; receiving a selection of default security suites; and effecting a security policy by negotiating a connection by offering to secure the connection based on the selected default security suite.
  • 11. The computer-readable medium of claim 10 wherein a default security suite is selected on a rule-by-rule basis.
  • 12. The computer-readable medium of claim 10 wherein a security suite includes an integrity algorithm and an encryption algorithm.
  • 13. The computer-readable medium of claim 12 wherein a security suite includes an authentication algorithm.
  • 14. The computer-readable medium of claim 10 wherein the security policy is based on the IP security protocol.
  • 15. A system for providing an outbound security policy for connection security, comprising: providing an inbound security policy for connection security, the inbound security policy having security suites; enforcing the inbound security policy in accordance with the inbound security policy; and enforcing an outbound security policy when negotiating an outbound connection by offering to secure the outbound connection based on a security suite of the inbound security policy.
  • 16. The system of claim 15 wherein the offering includes offering multiple security suites to secure the outbound connection.
  • 17. The system of claim 15 wherein a security suite includes an integrity algorithm, an encryption algorithm, and an authentication algorithm.
  • 18. The system of claim 17 including receiving an indication of whether the outbound security policy is to provide integrity checking or integrity checking and encryption.
  • 19. The system of claim 15 wherein the security policy is based on the IP security protocol.
  • 20. The system of claim 15 wherein the outbound security policy allows all outbound connections that can be secured.