News Column

"Firewall Event Reduction for Rule Use Counting" in Patent Application Approval Process

August 12, 2014



By a News Reporter-Staff News Editor at Information Technology Newsweekly -- A patent application by the inventors Bray, Rory F. (Rothesay, CA); Grzelak, Cezar P. (Saint John, CA); Keirstead, Jason D. (Fredericton, CA), filed on March 21, 2014, was made available online on July 31, 2014, according to news reporting originating from Washington, D.C., by VerticalNews correspondents.

This patent application is assigned to International Business Machines Corporation.

The following quote was obtained by the news editors from the background information supplied by the inventors: "This disclosure relates generally to computer system networks and network management in a data processing system and more specifically to firewall event reduction for rule use counting in managing the network of the data processing system.

"To monitor and manage networks, firewall administrators require knowledge of the frequency of the rules applied to devices being hit by traffic. The frequency information is useful for re-ordering and prioritizing rules for firewall optimization, detecting anomalous patterns due to rules firing more than expected and to issue reports demonstrating security policy compliance and security posture.

"Traditionally, to determine a number of times a given firewall rule has been hit, the administrator must connect to each individual device in a network and view the rules on the device and a count of the rule hits. The manual process has several limitations. The process is time-consuming because the administrator must connect to each device one-by-one. Further for many devices when a rule-set is modified the modification re-sets the counter, regardless of whether the modification is material to the rule function. The administrator therefore must note the count before and after the rule change, denote the rules as being the same rule (even though they are different to the system) and summarize the counts in a report.

"To reduce effort, firewall administrators typically use external tools to monitor and track use of firewall rules on a network. However, the tools routinely function in the same way because the tools communicate with a device on an interval and query the respective device for a count, and accordingly are subject to the same limitations as the previously described method with respect to detecting a rule as being the same although the system views the rule as modified. Gathering count information requires the monitoring system to connect to and query all the devices throughout the network, which is not always feasible.

"In another example solution, some tools feed firewall rule logs into a system, which runs the logged events through a topological model created using a configuration of the firewalls, and count the rules, as the rules would be hit according to the model. However this example solution is not a real-time solution. Creating a real time solution would be very resource-intensive, because a centralized system must be able to process logs from all firewalls in the network through the topological model."

In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "According to one embodiment, a method for firewall rule use counting receives log messages comprising one or more log data sets from each firewall rule in a particular network whose counts are to be tracked in a log collector, generates a network trie for each reference database in a set of databases and a device source trie and a device destination trie for each firewall device in a plurality of devices of the particular network, a source port and protocol list and a destination port and protocol list for each respective device, a unique object for each log data set received; a mapping database comprising an entry for each log data set received associated with the unique object; and feeds each entry in the mapping database through a topology model to also generate a reference to a unique firewall rule on a respective device in the plurality of devices. A count associated with the unique firewall rule is incremented using a count of logs stored associated with the respective unique object and a report is generated.

"According to another embodiment, a computer program product for firewall rule use counting comprises one or more computer recordable-type data storage devices containing computer executable program code stored thereon. The computer executable program code comprises computer executable program code for receiving log messages comprising one or more log data sets from each firewall rule in a particular network whose counts are to be tracked in a log collector; computer executable program code for generating a network trie for each reference database in a set of databases and a device source trie and a device destination trie for each firewall device in a plurality of devices of the particular network; computer executable program code for generating a source port and protocol list and a destination port and protocol list for each respective device in the plurality of devices; computer executable program code for generating a unique object for each log data set received; computer executable program code for generating a mapping database comprising an entry for each log data set received associated with the unique object; computer executable program code for feeding each entry in the mapping database through a topology model representative of the particular network; computer executable program code for generating a reference to a unique firewall rule on a respective device in the plurality of devices; computer executable program code for incrementing a count associated with the unique firewall rule using a count of logs stored associated with the respective unique object and computer executable program code for generating a report.

"According to another embodiment, an apparatus for firewall rule use counting, comprises a communications fabric, one or more computer recordable data storage devices connected to the communications fabric, a memory connected to the communications fabric, wherein the memory contains computer executable program code, a communications unit connected to the communications fabric and one or more processors connected to the communications fabric. The one or more processors execute the computer executable program code to direct the apparatus to receive log messages comprising one or more log data sets from each firewall rule in a particular network whose counts are to be tracked in a log collector; generate a network trie for each reference database in a set of databases and a device source trie and a device destination trie for each firewall device in a plurality of devices of the particular network; generate a source port and protocol list and a destination port and protocol list for each respective device in the plurality of devices; generate a unique object for each log data set received; generate a mapping database comprising an entry for each log data set received associated with the unique object. The one or more processors further execute the computer executable program code to direct the apparatus to feed each entry in the mapping database through a topology model representative of the particular network; generate a reference to a unique firewall rule on a respective device in the plurality of devices; increment a count associated with the unique firewall rule using a count of logs stored associated with the respective unique object and generate a report.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

"For a more complete understanding of this disclosure, reference is now made to the following brief description, taken in conjunction with the accompanying drawings and detailed description, wherein like reference numerals represent like parts.

"FIG. 1 is a block diagram of an exemplary network data processing system operable for various embodiments of the disclosure;

"FIG. 2 is a block diagram of an exemplary data processing system operable for various embodiments of the disclosure;

"FIG. 3 is a block diagram of a firewall event reduction system operable for various embodiments of the disclosure;

"FIG. 4 a flowchart of a process for firewall event reduction for rule use counting using the firewall event reduction system of FIG. 3 for various embodiments of the disclosure;

"FIG. 5 is a flowchart of a process for generating a unique object using the firewall event reduction system of FIG. 3 for various embodiments of the disclosure;

"FIG. 6 is a flowchart of a process for generating network tries and device lists using the firewall event reduction system of FIG. 3 operable for various embodiments of the disclosure; and

"FIG. 7 is a flowchart of a process for incrementing a count associated with a unique firewall rule using the firewall event reduction system of FIG. 3 operable for various embodiments of the disclosure."

URL and more information on this patent application, see: Bray, Rory F.; Grzelak, Cezar P.; Keirstead, Jason D. Firewall Event Reduction for Rule Use Counting. Filed March 21, 2014 and posted July 31, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=63&p=2&f=G&l=50&d=PG01&S1=20140724.PD.&OS=PD/20140724&RS=PD/20140724

Keywords for this news article include: Information Technology, Information and Data Storage, Information and Data Processing, International Business Machines Corporation.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Information Technology Newsweekly


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters