Browse Prior Art Database

Firewall topology migration

IP.com Disclosure Number: IPCOM000244605D
Publication Date: 2015-Dec-28
Document File: 2 page(s) / 29K

Publishing Venue

The IP.com Prior Art Database

Abstract

We have constructed a system that reads the configuration data for some set of firewalls in a source environment, producing an equivalent set ofglobal rules that represent as closely as possible the behaviour enabled/denied by those source firewalls. These rules, represented in a vendor-neutral intermediate format, can then be automatically collected/reduced for efficiency, and/or transformed to represent the same end-to-end services in a re-numbered data centre. After appropriate review by data centre managers, the vendor-neutral set is then used to generate the initial configuration for firewalls in the new environment. This system is particularly useful for data centre relocation, but is also useful for providing comprehensive review of rules during an upgrade to the firewall infrastructure..

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 01 of 2

Firewall topology migration

There are many reasons to migrate to a new network topology, e.g.,

when a new network technology is introduced (such as when servers are virtualized),

when a grown network is redesigned for resiliency reasons,

during migration to a new data center,

or as part of the outsourcing of services.

One of the most complex tasks in this is to migrate the firewall service.

    It is rare that an organization has fully documented network security requirements. The best documentation is therefore often in the actual firewall rules . They contain a lot more information than observed dependencies, e.g., what is definitely forbidden, or what servers are considered as groups. Often there are comments about the reasons for rules, and named groupings that help understanding the security policy. Besides using this information in a semantically correct transformation, one often wants to retain these groupings and comments so that the future rules are again understandable.

The problem is therefore to use existing firewall rules with human annotations to plan

firewall rules for a new network topology and the same servers, or servers with known changes (e.g., new IP addresses)

We propose a system and method for parsing existing firewall rules into a common format that still allows human interpretation, and to construct a corresponding rule set for the new network topology while retaining as much as possible of the structure and organization of the rule set .

Key novel solution elements are:

Flattening rules from multi-type formats without losing relevant annotations

Interpreting rules with wildcards by using...