Browse Prior Art Database

Network Communication Validation by Automated Policy Examination

IP.com Disclosure Number: IPCOM000019247D
Original Publication Date: 2003-Sep-08
Included in the Prior Art Database: 2003-Sep-08
Document File: 7 page(s) / 34K

Publishing Venue

IBM

Abstract

Disclosed is a system that can automatically review the new routing and firewall rules once learning the organization's security policy. Using the described system an organization's security policy can be stored in a machine processable format. The reprocessed machine actionable security policy enables an automated system to process and judge whether a proposed change in routing or firewall rule will violate the organization's security policy. The system will streamline the organization's security review process and increase the security posture with correct and consistent application of the security policy.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 29% of the total text.

Page 1 of 7

Network Communication Validation by Automated Policy Examination

  The task of keeping computer networks secure while maintaining their integrity is difficult and oftentimes daunting. However, it must be performed day-in and day-out without a single break. While many IT and security professionals understand the importance of establishing security policy as the first step to secure any environment, the next step of enforcing the security policy in the target environment such as computer networks is just as important as the first step. Because unenforced or incorrectly enforced security policy negates the reasons for having the security policy in the first place, it helps to identify and mitigate any possible causes that make the correct and consistent enforcement of the policy difficult or impractical. The factors that influence the quality of enforcement of security policy in an organization could vary but following reasons are some of the typical negative factors when it comes to applying security policy for computer networks:

As a computer network becomes larger and more complex, more personnel are required to maintain the network's availability and integrity. More personnel are involved in implementing and enabling different network services or connections on a network or between multiple networks, different levels of technical skills and understanding of overall environment impact how these services or connections are implemented. How the new services and connections are implemented decide the degree of impact the changes will have on the integrity and security of the networks. Even if security administrators are required to review the network services and connections to be implemented, inconsistent results are possible due to the security personnel' level of technical experience, skills, and understanding of the target network environment and governing policies. The review process for new network services and connections could be time-consuming and repetitive, leading to inefficient use of human resources.

One possible usage of the invention could be in the area of approving the change requests for firewall rules. As we have stated, implementing and maintaining computer networks can be an exhaustive task. The ever increasing complexity of computer networks is fueled by the advancing technology of network services we run on them. And this has led to an increasing number of networks that must be connected and yet separated and protected by the use of firewalls. The increasing complexity of networks and services multiplies the number of firewalls that must be managed and the type of rules each firewall must enforce when examining data packets. Implementing and maintaining these firewall rules quickly becomes an exhaustive task even for a seasoned firewall specialist .

If the proposed invention is implemented to validate and approve the firewall rule change requests, the following benefits would be realized as the proposed inventio...