Patent Application
20090300748
The invention relates generally to managing rule sets, and more specifically in one embodiment to combining rules in a firewall.
A portion of the disclosure of this patent document contains material to which the claim of copyright protection is made. The copyright owner has no objection to the facsimile reproduction by any person of the patent document or the patent disclosure, as it appears in the U.S. Patent and Trademark Office file or records, but reserves all other rights whatsoever.
Computers are valuable tools in large part for their ability to communicate with other computer systems and retrieve information over computer networks. Networks typically comprise an interconnected group of computers, linked by wire, fiber optic, radio, or other data transmission means, to provide the computers with the ability to transfer information from computer to computer. The Internet is perhaps the best-known computer network, and enables millions of people to access millions of other computers such as by viewing web pages, sending e-mail, or by performing other computer-to-computer communication.
But, because the size of the Internet is so large and Internet users are so diverse in their interests, it is not uncommon for malicious users or pranksters to attempt to communicate with other users' computers in a manner that poses a danger to the other users. For example, a hacker may attempt to log in to a corporate computer to steal, delete, or change information. Computer viruses or Trojan horse programs may be distributed to other computers, or unknowingly downloaded or executed by large numbers of computer users. Further, computer users within an organization such as a corporation may on occasion attempt to perform unauthorized network communications, such as running file sharing programs or transmitting corporate secrets from within the corporation's network to the Internet.
For these and other reasons, many corporations, institutions, and even home users use a network firewall or similar device between their local network and the Internet. The firewall is typically a computerized network device that inspects network traffic that passes through it, permitting passage of desired network traffic based on a set of rules.
Firewalls perform their filtering functions by observing communication packets, such as TCP/IP or other network protocol packets, and examining characteristics such as the source and destination network addresses, what ports are being used, and the state or history of the connection. Some firewalls also examine packets traveling to or from a particular application, or act as a proxy device by processing and forwarding selected network requests between a protected user and external networked computers.
The firewall typically controls the flow of network information by monitoring connections between various ports, sockets, and protocols, such as by examining the network traffic in a firewall. Rules based on socket and other information are used to selectively filter or pass data, and to log network activity. Firewall rules are typically configured to identify certain types of network traffic that are to be prohibited or that should have certain other restrictions applied, such as blocking traffic on ports known to be used for file sharing programs while virus scanning any data received over a traditional FTP port.
But, the number of rules needed to configure a firewall to handle the large variety of network traffic that is often present in even a small office can be daunting to manage. Hundreds or even thousands of rules are sometimes applied, with additional complexity in that rules are often processed in order such that the order in which rules are listed can affect the rules applied.
Various example embodiments of the invention comprise a firewall system and a firewall rule management tool that are operable to evaluate a rule set for rules that may be merged, present selected rules that can be merged to an administrator, along with an indication of any change in function of the resulting merged rule, and receive input from the administrator indicating whether to merge the selected rules.
In the following detailed description of example embodiments of the invention, reference is made to specific examples by way of drawings and illustrations. These examples are described in sufficient detail to enable those skilled in the art to practice the invention, and serve to illustrate how the invention may be applied to various purposes or embodiments. Other embodiments of the invention exist and are within the scope of the invention, and logical, mechanical, electrical, and other changes may be made without departing from the subject or scope of the present invention. Features or limitations of various embodiments of the invention described herein, however essential to the example embodiments in which they are incorporated, do not limit the invention as a whole, and any reference to the invention, its elements, operation, and application do not limit the invention as a whole but serve only to define these example embodiments. The following detailed description does not, therefore, limit the scope of the invention, which is defined only by the appended claims.
The network device 103 is in various embodiments a firewall device, and intrusion protection device, or functions as both. A firewall device or module within the network device provides various network flow control functions, such as inspecting network packets and dropping or rejecting network packets that meet a set of firewall filtering rules. As described previously, firewalls typically perform their filtering functions by observing communication packets, such as TCP/IP or other network protocol packets, and examining characteristics such as the source and destination network addresses, what ports are being used, and the state or history of the connection. Some firewalls also examine packets traveling to or from a particular application, or act as a proxy device by processing and forwarding selected network requests between a protected user and external networked computers. Firewalls often use “signatures” or other characteristics of undesired traffic to detect and block traffic that is deemed harmful or that is otherwise undesired.
Firewalls typically use sets of rules to filter traffic, such that what happens with any particular element of network data is dependent on how the rule set applies to that particular data. For example a rule blocking all traffic to port 6346 will block incoming traffic bound for that port on a server within the protected network, but will not block other data going to the same server on a different port number. The order of rules also plays a role in operation, such that if a prior rule says to allow all traffic from a particular range of IP addresses irrespective of the destination IP address or port, the incoming connection request to port 6346 will be allowed based on the IP address rule being processed before the port 6346 rule.
The firewall administrator responsible for configuring the firewall and managing the rule set balances trust, firewall performance, and rule set size and manageability in determining how to configure firewall rules to best suit a particular network environment. As the number of rules grows into the hundreds or even larger in some cases, the administrator's ability to efficiently manage the rule set and understand its operation is hindered.
In some circumstances, rules can be combined to reduce the number of rules that need to be managed in a set, but combination of rules can be logically difficult. As has been previously discussed, the order of two or more separate rules can influence which rule is applied to certain network traffic, and it is not always possible to create a single rule that behaves the same as a series of ordered rules. Also, combination of rules can be nearly impossible if the exact same filtering results are required, given that the scope of individual rules may not perfectly complement other rules in such a way that the rules can be combined and achieve exactly the same filtering result.
Consider as an example a first rule that says to allow but virus scan all FTP traffic coming from countries outside the United States, and a second rule that says to allow all FTP traffic coming from the United Kingdom (.uk). These rules cannot be simply combined while achieving the same result, as the rules don't require virus scanning FTP traffic from the United Kingdom currently. The most logical combined rune would allow FTP traffic from outside the United States but require virus scanning, thereby adding a virus scanning requirement to FTP traffic from the United Kingdom where no such requirement existed before. The administrator must recognize that this possible rule combination exists, and recognize and accept the change in combined rule behavior to combine even these simple two rules.
Duplicate rules, seemingly different rules that function to have similar effect except for one or two parameters, and combined rule sets such as from multiple firewalls into a single enterprise management system can make these problems even more complex. Further, addition of new rules to a rule set, such as to facilitate operation of new technologies or applications or to handle new threats, can significantly change the operation of other rules in the rule set. The administrator is responsible for deciding where to place the rule in the ordered rule list, and determining whether and how the new rule will interact with any of the hundreds of other rules likely already in the rule set.
Some embodiments of the invention address this issue by providing an administrator tool that facilitates management of a rule set. In one embodiment, the administrator tool is a software application that provides a user interface that enables the administrator to perform various functions, including searching for interaction of a given rule with other rules in the rule set, identifying rules that may be combinable with no change in rule function, and identifying rules that may be combinable but that will result in a change in rule function along with identifying the functional difference between the current rules and the combined rule.
This is achieved in a more detailed example by using the parameters of the rule space, including source, destination, user, service, enterprise firewall ID, and other such parameters to identify rules that may interact or be combinable.
While it becomes evident that the first two rules can be easily combined, as they are identical except for a single parameter that does not overlap or interact in identifying two different connection sources, the third rule is distinctly different. Both the actions allowed and the virus scanning parameter are different, as is the lack of a specific, identified source. Further, the order of the third rule is important, as the rule should be processed only after the first two rules, so that the trusted sources are allowed to FTP and “put” files to the servers protected by the firewall.
Adding the third rule to the other two to form a combined rule will therefore require that the firewall behaves differently for at least some connections. In this example, it may be acceptable to allow FTP access including upload capability for all users, requiring anti-virus scanning for uploads only. The administrator may deem this a reasonable risk to take, or may decide the change to rule set functionality is unacceptable and only allow combination of the first two rules while declining to allow the third rule to be combined with the first two.
The changed rule condition space can be envisioned as a condition space having a number of dimensions equal to the number of rule parameters, in which the rules can be graphically represented by multi-dimensional rectangles, as is illustrated in the example in
One embodiment of the invention derives and presents a proposed combined rule, with or without a description of the change in function between combined rules and independent rules such as by presenting a “difference rule” as show at 4 in
A further embodiment seeks to minimize the size of the difference rule resulting from rule combinations, and presents proposed rules meeting a certain threshold for added rule space within the combined rule rectangle, presents multiple options to the administrator, or breaks proposed combined rules up into multiple proposed combined rules when appropriate to reduce the difference rule space relative to the combined rule space.
Some embodiments of a rule combination tool also restrict combination of rules that operate differently when combined than when processed in order, and can alert the administrator when a new rule can be combined with, negate, or interact with currently existing rules.
Some rule characteristics are assigned default actions in this example, and are not changeable. For example, Action element data, such as drop, allow, or deny, is compared by default as it is assumed that an administrator would not willingly combine rules that take different actions. The rule name and description fields are ignored, as the content of these fields is descriptive and meaningful matches are not likely to be found. Other conditions, such as source, destination, time period, and service are administrator-configurable, as shown in the Condition Elements box in
Once the administrator has selected one or more elements to be compared or merged, the next box is clicked and a rule merge comparison is run on the rule set based on the selected criteria elements. The results are presented to the administrator as groupings of rules that may be merged, such as is shown in
Here, rules 2 and 19 are combined, as the rules are similar but operate on different firewall devices within an enterprise. Combination of the rules is straightforward, as the “Apply On” criteria element can simply be merged to recite that the same rule is to be applied on several different systems rather than requiring multiple rules to specify the same thing. Also, a number of rules can be combined into rule 3, if the “Apply On” and “Services” fields are merged such that similar rules applied to different services on different firewall devices are combined into one or more merged rules.
If there are differences in values of other fields in the merge screen, the administrator is presented with a screen that enables review of the proposed merged rule, including the ability to accept or decline the proposed merger or alter the rule merger.
Once the user has accepted the merged rules, amended and accepted the merged rules, or declined the merged rules, the resulting rules are presented to the administrator who then gives final approval to accept the merged rule set. The merged rules then replace the combined original rules in the rule set, reducing the total number of rules and likely improving the efficiency and readability of the rule set.
The rules are managed in some embodiments as entries in a database, such as an SQL database of rule elements that can be searched based on the administrator-selected criteria to find merge candidates. In further embodiments, the same rule data is used to determine whether a new rule will interact with currently existing rules, or can be merged with currently existing rules. Rule addition is therefore handled in some embodiments by using administrator tools such as those shown in
Similarly, a database of rule criteria that is ordered, as are the rules in the example presented here, can be searched to determine whether a new rule or a group of rules that may be merged interact with other rules in an order-specific way, such that order dependencies can be flagged and brought to the attention of the administrator, such as by use of a special color or other marker in the rule merge tool example presented above. The administrator in some situations will likely accept the loss of order specific rule behavior and merge the rules based on a presented difference rule or other description of the order dependency, while in other situations will decline to change rule behavior by combining the order-dependent rules.
New rules may subsume or negate previous rules, or conflicting rules may be present in the ruleset, and the rule administration tool in a further embodiment is operable to help the administrator spot rules that have such rule conflicts so that the administrator can select which of the rules to apply, what order the rules should be applied, or merge the rules into a single rule if appropriate.
The examples presented here have shown how a rule merge tool in a firewall can be used to evaluate rule interaction with other rules, and facilitate merging rules and simplifying rule sets. Although specific embodiments have been illustrated and described herein, it will be appreciated by those of ordinary skill in the art that any arrangement which is calculated to achieve the same purpose may be substituted for the specific embodiments shown. This application is intended to cover any adaptations or variations of the example embodiments of the invention described herein. It is intended that this invention be limited only by the claims, and the full scope of equivalents thereof.
