U.S. patent application number 11/290976 was filed with the patent office on 2006-08-24 for determining firewall rules for reverse firewalls.
This patent application is currently assigned to AT&T Corp. Invention is credited to William A. Aiello, Charles Robert JR. Kalmanek, William J. III Leighton, Patrick McDaniel, Subhabrata Sen, Oliver Spatscheck, Jacobus E. Van der Merwe.
Application Number | 20060190998 11/290976 |
Document ID | / |
Family ID | 36264048 |
Filed Date | 2006-08-24 |
United States Patent
Application |
20060190998 |
Kind Code |
A1 |
Aiello; William A. ; et
al. |
August 24, 2006 |
Determining firewall rules for reverse firewalls
Abstract
A reverse firewall for removing undesirable traffic from a
computing network, such as a virtual private network (VPN), is
disclosed. The reverse firewall uses firewall rules that may be
determined and maintained within the enterprise network to control
communication sent between computers in the computing network. The
reverse firewall rules may be used to identify the communications
between computers in the network that are undesirable and/or
intrusive. For example, a computer in a network that is infected
with a worm or that is surreptitiously hosting a denial-of-service
attack may be identified by the reverse firewall and quarantined.
The reverse firewall may be implemented in hardware and/or
software.
Inventors: |
Aiello; William A.;
(Vancouver, CA) ; Kalmanek; Charles Robert JR.;
(Short Hills, NJ) ; Leighton; William J. III;
(Scotch Pines, NJ) ; McDaniel; Patrick; (State
College, PA) ; Sen; Subhabrata; (New Providence,
NJ) ; Spatscheck; Oliver; (Randolph, NJ) ; Van
der Merwe; Jacobus E.; (New Providence, NJ) |
Correspondence
Address: |
AT&T CORP.
ROOM 2A207
ONE AT&T WAY
BEDMINSTER
NJ
07921
US
|
Assignee: |
AT&T Corp
New York
NY
|
Family ID: |
36264048 |
Appl. No.: |
11/290976 |
Filed: |
November 30, 2005 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
60653925 |
Feb 17, 2005 |
|
|
|
Current U.S.
Class: |
726/11 |
Current CPC
Class: |
H04L 63/0236 20130101;
H04L 63/0263 20130101; H04W 28/00 20130101; H04L 63/029 20130101;
H04L 43/16 20130101; H04L 63/0254 20130101 |
Class at
Publication: |
726/011 |
International
Class: |
G06F 15/16 20060101
G06F015/16 |
Claims
1. A method for securing a network using a reverse firewall, the
reverse firewall accessing a profile of a host in the network, the
method comprising the steps of: at the reverse firewall, receiving
a network communication from a host in the network; if parameters
of the network communication from the host are in the profile of
the host, allowing the network communication from the host; and if
parameters of the network communication from the host are not in
the profile of the host, enforcing a throttling discipline on the
network communication to determine whether to allow or to block the
network communication from the host.
2. The method of claim 1, the reverse firewall further comprising
an out-of-profile counter for each host in the network, the method
further comprising the steps of: updating the out-of-profile
counter for the host, if the parameters of the network
communication from the host are not in the profile of the host.
3. The method of claim 2, wherein the throttling discipline is a
n-r-relaxed discipline.
4. The method of claim 2, wherein the throttling discipline is a
n-r-strict discipline.
5. The method of claim 2, wherein the throttling discipline is a
n-r-open discipline for controlling out-of-profile network
communication from the host.
6. The method of claim 4, the value of n being zero, and all
network communication from the host being blocked when an
out-of-profile network communication is attempted by the host.
7. The method of claim 1, the parameters of the network
communication from the host being in the profile of the host if the
destination address, destination port, and protocol of the network
communication are present in the profile of the host.
8. The method of claim 1, the parameters of the network
communication from the host being in the profile of the host if the
destination address and the destination port of the network
communication are present in the profile of the host.
9. The method of claim 1, the parameters of the network
communication from the host being in the profile of the host if the
destination address of the network communication is present in the
profile of the host.
10. A method for determining a communications management policy for
a reverse firewall in a network, the method comprising the steps
of: generating a profile for a host in the network; and setting a
throttling discipline for out-of-profile network communication from
the host.
11. The method of claim 10, the step of generating a profile of a
host including generating an initial set of rules corresponding to
network communication originating from the host, and at least some
of the initial set of rules are based on an analysis of network
communication between a plurality of hosts in the network during a
learning period.
12. The method of claim 11, the profile of the host comprising
PCSPP rules.
13. The method of claim 11, the profile of the host comprising PCSP
rules.
14. The method of claim 11, the profile of the host comprising PSP
rules.
15. The method of claim 10, further comprising the step of:
updating the profile of the host in the network, the profile being
stored in the reverse firewall.
16. The method of claim 15, the step of updating the profile of the
host including automatically updating the set of rules to
accommodate for known undesirable network communication.
17. The method of claim 16, the known undesirable network
communication comprising at least one of: tcp communication between
two hosts in the network that consists of less than three packets
in each direction; udp communication between two hosts in the
network that consists of less than two packets in either direction;
and no icmp data communication.
18. A network device for controlling a network communication sent
from a host in a network, the network device configured to enforce
a profile of the host and a throttling discipline, the device
comprising: a memory unit storing a set of rules corresponding to
the profile of the host in the network, the network device
accessing the memory unit to identify the set of rules
corresponding to the profile of the host in the network; and an
out-of-profile counter for use by the network device to enforce the
throttling discipline.
19. The device of claim 18, the network device comprising a
programmable router configured as a reverse firewall, the host in
the network being connected to the network device.
20. The device of claim 18 coupled to an out-of-profile-counter,
the out-of-profile counter being provided for each host in the
network, the profile being stored in the memory unit, and the
out-of-profile counter comprising a number and a timer.
Description
[0001] This application claims the benefit of priority from U.S.
Provisional Application No. 60/653,925, entitled "Determining
Firewall Rules For Reverse Firewalls" filed Feb. 17, 2005, the
disclosure of which is expressly incorporated herein by reference
in its entirety.
TECHNICAL FIELD
[0002] Aspects of the invention relate to a method and/or device
for improving the protection of hosts in an internal network. More
specifically, aspects of the invention relate to techniques for
generating, maintaining, and enforcing a communications management
policy in a network.
BACKGROUND
[0003] The outbreak of the worms taking advantage of
vulnerabilities in commercial desktop security software has
highlighted the need for multi-faceted security measures. Perimeter
defense (e.g., conventional firewalls) are only marginally
effective in suppression of worms because of the difficulty of
defining and implementing these types of systems. Enterprise
networks, in particular, are at risk from a deficiency in security
against worms. For example, once a worm is in a company's internal
network, it can spread to other internal computers even if they are
completely isolated from the Internet. Furthermore, worms may be
introduced into a company's internal network by laptops that are
used both outside and within the enterprise.
[0004] Therefore, there is a need in the art for a method and/or
device for protecting against worms and other security threats
within enterprise networks, and generally, data networks. There is
also a need in the art for a method or device for protecting a host
in an internal network from other hosts in that same network in a
brownfield and greenfield environment.
SUMMARY
[0005] Disclosed herein is a method for securing a network using a
reverse firewall that accesses a profile of an internal host. In
one embodiment, the reverse firewall may receive communication from
an internal host, and may, if the communication from the host is
in-profile, allow the communication to pass. Else, if the
communication from the host is out-of-profile, the reverse firewall
may enforce a throttling discipline on the communication to
determine whether to allow or block the communication. Some
examples of throttling disciplines in accordance with the invention
include, but are not limited to, n-r-relaxed, n-r-strict, and
n-r-open.
[0006] In addition, disclosed herein is a method for determining a
communications management policy for a reverse firewall in a
network. In one embodiment, a profile may be generated and updated
for an internal host. The reverse firewall may set a throttling
discipline designated for out-of-profile communication from the
host. The profile of an internal host may comprise an initial set
of rules based on an analysis of communication between a plurality
of hosts during a learning period.
[0007] Furthermore, disclosed herein is a reverse firewall for
controlling communication sent from an internal host. The reverse
firewall may be implemented in a network device configured to
enforce a profile and a throttling discipline, and comprising a
memory unit and an out-of-profile counter.
BRIEF DESCRIPTION OF THE DRAWINGS
[0008] One or more embodiments of aspects of the invention are
illustrated by way of example and not limited in the accompanying
figures in which like reference numerals indicate similar elements
and in which:
[0009] FIG. 1 shows an illustrative operating environment for
various aspects of the invention;
[0010] FIG. 2 depicts a flowchart of a method for securing a
network using a reverse firewall in accordance with various
embodiments of the invention;
[0011] FIG. 3 illustrates a flowchart of a method for determining a
policy for a reverse firewall in accordance with various
embodiments of the invention; and
[0012] FIG. 4 illustrates a memory unit in a reverse firewall in
accordance with various embodiments of the invention.
DETAILED DESCRIPTION
[0013] A reverse firewall in accordance with aspects of the
invention may improve the protection of the hosts within a network
against worms and similar security threats. The reverse firewall
may generate, maintain/update, and enforce a profile of a host in
the network to protect other internal hosts from that host. In
addition, a reverse firewall may enforce a throttling discipline
(TD) to determine whether to allow or block network communication
from a host. These and other aspects of the invention will become
apparent to one skilled in the art after review of the entire
disclosure and any disclosures incorporate by reference herein.
[0014] FIG. 1 illustrates an example of a suitable network
architecture in which aspects of the invention may be implemented.
The network architecture is only one example of a suitable network
layout and is not intended to suggest any limitation as to the
scope of use or functionality of the invention. Other well known
computing systems, environments, and/or configurations that may be
suitable for use with the invention include, but are not limited
to, personal computers, server computers, hand-held or laptop
devices, multiprocessor systems, microprocessor-based systems,
programmable consumer electronics, networked PCs, minicomputers,
mainframe computers, distributed computing environments that
include any of the above systems or devices, and the like.
[0015] A reverse firewall in accordance with aspects of the
invention may be used to secure a network 102 of hosts 114, 116,
118, 120. The reverse firewall may be embodied in any network
device connected to the network 102. For example, a router 112, hub
110, switch 108, and/or conventional firewall 104 may be configured
to act as (or work in combination with another device to act as) a
reverse firewall. In addition, one of more network devices (e.g.,
host 118) may be connected to the network 102 through wireless
communication, such as IEEE 802.11, Wi-fi, radio frequency (RF),
and bluetooth. One skilled in the art will understand that a
network device need not be directly connected to a network 102 to
be considered connected in accordance with aspects of the
invention. The term, connected, shall not require a device to be
directly connected. Furthermore, an external host 106 may be
connected to a conventional firewall 104 of the network 102. The
external host 106 may receive communication from and send
communication to internal hosts 114, 116, 118, 120.
[0016] In one illustrative embodiment of aspects of the invention,
a router 112 may be a programmable router comprising a memory unit,
and configured as a reverse firewall. In another example, a reverse
firewall may be implemented in a computing machine (e.g., host 120)
comprising a computer-readable medium storing computer-executable
instructions. One skilled in the art will appreciate that aspects
of the invention may be described in the general context of
computer-executable instructions, such as program modules, executed
by one or more computers or other network devices. Generally,
program modules may include routines, programs, objects,
components, data structures, etc. that perform particular tasks or
implement particular abstract data types. Typically the
functionality of the program modules may be combined or distributed
as desired in various embodiments. Suitable network architecture
may include at least some form of computer readable media. Computer
readable media can be any available media that can be accessed by
computers or other devices.
[0017] FIG. 3 depicts a flowchart of a method for determining a
communications management policy for a reverse firewall in a
network. The communications management policy determines, among
other things, when to drop or pass packets sent from an internal
host in the network. In one example, the reverse firewall may use a
profile comprising a set of rules to implement aspects of the
communications management policy. The set of rules may be used to
determine when to drop or pass packets sent from an internal host
in the network.
[0018] The profile for an internal host 114 in the network may be
generated (in step 302) and used by a reverse firewall to determine
whether to allow or block network communication from an internal
host 114. In one embodiment, a profile for an internal host 114 may
be generated at a network device (e.g., router 112) that is being
used as a reverse firewall in accordance with aspects of the
invention. In an alternative embodiment, a computing machine 120 on
the network may be configured to, among other things, collect
and/or analyze desirable information for use in generating a
profile of an internal host 114. The computing machine 120 may
monitor communication (i.e., traffic) on a network 102 during a
predetermined length of time (i.e., a learning period) to generate
a profile of internal hosts.
[0019] The interaction between the internal hosts on the network
102 may define a community of interest. For example, the computing
machine 120 may analyze flow records of the network 102 to extract
information about internal host communication (e.g., source IP
address, destination IP address, destination port number,
communication protocol, etc.) and generate an initial set of rules
corresponding to the network communication between a plurality of
hosts in the network. These initial set of rules may be used to
generate a profile of a host 114 on the network 102. The profile of
a host 114 may be comprised of PCSPP rules (i.e., a 3-tuple rule
defined by protocol, client, server port, and server profile), PCSP
rules (i.e., a 3-tuple rule defined by protocol, client, and server
profile), and/or PSP rules (i.e., a 3-tuple rule defined by
protocol and server profile).
[0020] In accordance with aspects of the invention, it may be
desirable to identify a core community of interest (i.e., core COI)
for each relevant internal host. The core COI may be of a
popularity community of interest (i.e., popularity COI) type,
frequency community of interest (i.e., frequency COI) type, and/or
a combination thereof. It will be apparent to one skilled in the
art after review of the entirety disclosed herein, including any
disclosure incorporated by reference, that the analysis of network
communication in a community of interest contributes to the
generation of an initial set of rules for internal hosts on a
network.
[0021] In one example, in step 302, an initial set of rules
corresponding to communication originating from a host may be
generated based on an analysis of the network communication between
a plurality of hosts in the network during a learning period.
During the learning period, the traffic on the network 102 may be
monitored to generate an set of initial rules. The analysis may
begin with a two-dimensional clustering model, where the number of
connections per port may be shown on one axis, while the number of
destination hosts using that port may be shown on another axis.
Then, using a k-means statistical clustering technique known in the
art, those ports with substantially more traffic may be partitioned
from other ports on the network 102 in an iterative process. The
k-means technique may use randomly selected centroid locations,
therefore, in one example, the k-means technique may be repeated
multiple (e.g., one hundred) times with different centroid
locations to determine the solution with the lowest value for the
sum of within-cluster point-to-centroid distances. The k-means
technique may result in two distinct clusters: the first cluster
corresponding to points clustered around low values of number of
connection and number of destination hosts, and the second cluster
comprised of points that have high values along these dimensions.
Thus, the points of the second cluster may be selected as ports for
the transport protocol (e.g., TCP, UDP, etc.) being considered.
This information may be used in generating PCSPP rules, PCSP rules,
and/or PSP rules. Moreover, one skilled in the art will appreciate
that log transformation (i.e., transforming the data value for each
variable to a logarithmic scale to reduce the effect of outliers at
the high end of the value range) and scale standardization (e.g.,
z-score normalization where variables are normalized on a common
scale to avoid one variable from dominating the other in the
cluster) may be used in addition to k-means techniques.
[0022] In another example, in step 302, a set of rules for a
profile may also be generated based on data analyzed during a
learning period to identify those destination-port pairs that have
substantial amounts of traffic on the network 102. For any source
hosts communicating with the destination-port pair (i.e., the port
on the destination host) a rule may be added to the profile of the
source host. In yet another example, a rule may be added to a
source host's profile to allow all communication from a source host
to all ports on a destination host (e.g., by designating the port
as a wildcard in the rule).
[0023] Once the initial set of rules have been generated, then in
step 304 these rules may be updated. The set of rules may be
automatically updated to accommodate for known undesirable network
communication. For example, it may be desirable to remove any rules
in a profile corresponding to TCP communication between two
internal hosts that consists of less than three packets in each
direction. In another example, it may be desirable to remove any
rules in a profile corresponding to UDP communication between two
internal hosts that consists of less than two packets in either
direction. In yet another example, it may be desirable to not
remove any rules corresponding to ICMP data communication. One
skilled in the art will appreciate that other updates to the
profile of internal hosts are envisioned in accordance with aspects
of the invention.
[0024] In various embodiments of the invention, it may be desirable
for the communications management policy for a reverse firewall to
be comprised of a profile of the internal hosts and/or a throttling
discipline (TD). As described earlier, a reverse firewall may set
(in step 306) a TD for out-of-profile network communication from an
internal host. In one example, the TD may be used to describe the
tolerable rate of out-of-profile communication from an internal
host and the action to take when the rate is exceeded. After review
of the entirety disclosed herein, one skilled in the art will
appreciate that various throttling disciplines are available for
use with a reverse firewall.
[0025] In accordance with aspects of the invention, FIG. 2 depicts
a flowchart of a method for securing a network from a host using a
reverse firewall. In the illustrative embodiment depicted by FIG.
2, the reverse firewall may be embodied in a network device such as
router 112 located on the network 102 and storing a profile of a
host 114. The profile of a host 114 is comprised of a set of rules
defining the internal exchange of network packets between that host
114 and other hosts (116, 118, and 120) in the network 102. The
profile of a host 114 is discussed in greater detail in relation to
the description of FIG. 4 below.
[0026] In step 202, the reverse firewall receives network
communication from an internal host 114 (i.e., a host on the
internal network 102). The network communication may be the result
of an application (e.g., a web browser, instant messenger, etc.)
running on the internal host 114. One skilled in the art will
recognize that network communication may include any communication
between devices on a network. For example, an internal host 114 may
be running a telnet program that is exchanging information with
another internal host 116 on port 23 using transmission control
protocol (TCP). The network communication may also occur using
protocols, such as user datagram protocol (UDP), Internet control
message protocol (ICMP), dynamic host configuration protocol (DHCP)
and other protocols apparent to those skilled in the art. In some
embodiments, the reverse firewall may be configured to allow or
block network communication based on at least the protocol being
used. For example, a reverse firewall may be configured to not
block any DHCP traffic from internal hosts. These and other
embodiments of aspects of the invention will become apparent to one
skilled in the art after review of the entire disclosure.
[0027] In step 204, the reverse firewall accesses the profile
corresponding to the internal host 114 that is the source of the
network communication (i.e., internal source host) to determine if
the parameters of the network communication (e.g., destination
address, destination port, and/or communication protocol) are
present in the profile of the internal source host 114. Parameters
of network communication include, but are not limited to,
destination address, destination port, and communication protocol.
If the destination host (i.e., the host corresponding to the
destination address) parameter is included in the profile of the
internal source host 114, then the network communication from the
internal source host 114 to the destination host may be allowed to
pass. In addition, if the profile of the internal source host 114
includes information about a port or range of ports on the
destination host, then the reverse firewall may also consider the
destination port parameter of the network communication in allowing
(or blocking) the network communication. Moreover, if the profile
of the internal source host 114 includes information about
communication protocol, then the reverse firewall may also consider
the protocol parameter of the network communication in allowing (or
blocking) the network communication. In one embodiment, network
communication from a host is in the profile of that host if the
destination address (e.g., IP address of the destination host)
parameter, destination port (e.g., port 23) parameter, and
communication protocol (e.g., UDP) parameter are present in the
profile of the host. One skilled in the art will appreciate that
numerous variations and/or combinations of the exemplary items
(e.g., address, port, protocol, allow/block status, etc.) that may
appear in a rule of a profile are envisioned in accordance with
aspects of the invention.
[0028] In an example in accordance with aspects of the invention,
an internal source host 114 attempts to send network communication
to port 23 of an internal destination host 116 using UDP. The
reverse firewall may access the profile corresponding to the
internal source host 114 to determine if UDP communication from the
internal source host 114 to port 23 on the destination host 116 is
allowed in the profile. In one example, assuming the profile
contains a rule (or set of rules) allowing UDP communication from
the source host 114 to port 23 on the destination host 116, the
communication may be allowed (in step 206) to be sent to the
destination host 116. In another example, assuming the profile
contains a rule (or set of rules) allowing UDP communication from
the source host 114 to any port on the destination host 116 (e.g.,
the port is a wildcard, port is not an item in the profile, etc.),
the network communication may be allowed (in step 206) to be sent
to the destination host 116. One skilled in the art will appreciate
that numerous variations and combinations of the above examples of
profile rules (or set of rules) are envisioned in accordance with
aspects of the invention.
[0029] On the other hand, if the network communication from the
source host 114 is not in the internal source host's profile (i.e.,
it is out-of-profile network communication), the reverse firewall
may consider additional factors in determining whether to allow or
block the network communication from the source host. For example,
the reverse firewall may be configured to enforce a throttling
discipline (TD) on the network communication (in step 208). A
throttling discipline may be used, among other things, to control
out-of-profile network communication from a host. Examples of
throttling disciplines include, but are not limited to, a
n-r-relaxed discipline, a n-r-strict discipline, a n-r-open
discipline, combination and/or derivations of these disciplines,
and/or other throttling disciplines that will be apparent to one
skilled in the art after review of the entire disclosure
herein.
[0030] For example, a n-r-strict throttling discipline blocks all
communication, both out-of-profile and in-profile, from an internal
host after the number of out-of-profile communications from that
internal source host exceed a threshold `n` within a time period
`r`. Thus, out-of-profile communication is not necessarily always
blocked. In one example in accordance with various aspects of the
invention, a reverse firewall is enforcing a n-r-strict throttling
discipline where the value of `n` is zero. Therefore, all network
communication from an internal source host is blocked when an
out-of-profile network communication is attempted by the internal
source host. A reverse firewall enforcing such a TD might not
require a value for `r`. A n-r-strict discipline with the value of
`n` as zero may result in a highly secure internal network 102
where no out-of-profile communication is allowed.
[0031] The number of out-of-profile communications may be measured
by the number of out-of-profile packets or some other measurable
unit that will be apparent to one skilled in the art. For example,
flow records (e.g., records generated by some Cisco routers when
`netflow` is enabled) grouped into, e.g., 5-minute intervals, may
be used to determine the number of out-of-profile communications.
Similarly, the packet tracking feature on some routers may be used
to measure the number of out-of-profile communications.
Furthermore, an out-of-profile counter may be used to track the
number of out-of-profile communications sent from an internal host
during a time period `r` (e.g., 10 minutes). In an illustrative
embodiment, an out-of-profile counter in a reverse firewall may be
provided for each host in the internal network 102. When the
network communication from an internal host is not in the profile
of that host, (in step 210) the out-of-profile counter may be
updated, e.g., by incrementing a numeric counter in the
out-of-profile counter. The out-of-profile counter is discussed in
greater detail in relation to the description of FIG. 4 below.
[0032] Another example of a throttling discipline includes a
n-r-relaxed discipline that allows an internal host to send `n`
out-of-profile communications within a time period `r`. If the
number of out-of-profile communications exceed a threshold `n`
within a time period `r`, all future communication (both in-profile
and out-of-profile) from the internal source host is blocked. When
the value of `n` in an n-r-relaxed throttling discipline is zero,
the throttling discipline behaves the same as a n-r-strict
discipline with the value of `n` as zero. In addition, an
out-of-profile counter may be used with this TD similar to that
discussed earlier.
[0033] Yet another example of a throttling discipline includes a
n-r-open discipline that allows a threshold of `n` out-of-profile
communications within a time period `r`. Under this TD, once the
threshold has been reached, the reverse firewall blocks all
out-of-profile communications from the internal source host. The
reverse firewall, however, does not block any of the communication
that is in-profile in an n-r-open discipline. In addition, an
out-of-profile counter may be used with this TD similar to that
discussed earlier. At least one benefit of an n-r-open discipline
is the ability for an internal host to continue to function by
communicating with other hosts in its profile even after the
threshold has been reached. Thus, an internal host may still able
to operate a reduced number of network applications.
[0034] In some throttling disciplines, once a threshold has been
reached, a network administrator or operator may be required to
manually reset the out-of-profile counter corresponding to the
internal host. In an alternative embodiment in accordance with
aspects of the invention, a user of the internal source host may be
presented with a pop-up dialog box on a visible display screen
where the user may authorization the reset of the out-of-profile
counter for that host. One skilled in the art will appreciate that
in some industries, e.g., banking, that are required to enforce
high standards of network security, a pop-up dialog box may be less
desirable than a manual reset by an administrator. In another
embodiment, the user may be able to use the pop-up dialog box to
update the profile of the host to include a rule (or set or rules)
for the network communication at issue.
[0035] In another example in accordance with aspects of the
invention, even if the profile contains a rule (or a set of rules)
allowing the communication between a source host 114 and a
destination host 116 (in step 204), the reverse firewall may still
block the communication. The reverse firewall may enforce a
throttling discipline (TD) to determine (in step 216) whether to
allow or block the in-profile communication from the source host
114. For example, in a reverse firewall enforcing a TD of
n-r-relaxed discipline, once the `n` value has been exceeded within
a time period `r`, all future communication, including both
in-profile and out-of-profile communication, from the host is
blocked (in step 214). In another example involving a reverse
firewall enforcing a TD of n-r-open discipline, the in-profile
communication from a network host 114 is allowed (in step 206)
regardless of whether the threshold value `n` has been met.
[0036] In step 212, a reverse firewall enforcing a throttling
discipline on the network communication at issue may use, among
other things, the out-of-profile counter to determine whether to
block (or allow) the network communication. For example, a reverse
firewall enforcing a n-r-relaxed discipline with a `n` value of 10
and `r` value of 60 seconds may block (in step 214) all future
network communication, including both in-profile and out-of-profile
communication, from an internal source host after the TD for that
internal source host has been reached. In that example, even if the
network communication is in the profile of the internal source host
in step 204, the network communication may be blocked (i.e., step
214 may be performed instead of step 206). The out-of-profile
counter in this example may contain a flag (e.g., boolean variable)
for indicating a blocked state or allow state. In some embodiments,
all network communication from an internal source host will
continue to be blocked until a network administrator (or
equivalent) resets the out-of-profile counter. In another
embodiment, the out-of-profile counter may automatically reset
after a predetermined amount of time (i.e., block time interval)
has elapsed (e.g., 20 minutes). In yet another embodiment, the user
of the blocked internal source host may be able to manually reset
the out-of-profile counter. One skilled in the art will appreciate
that there are various techniques for blocking (in step 214)
network communication from an internal host. For example, a reverse
firewall may simply refuse to forward (i.e., drop) certain packets
to their destination. In another example, address resolution
protocol (ARP) may be used to modify mappings stored in tables used
by the internal source host to effectively block the appropriate
communication from the internal source host.
[0037] FIG. 4 illustrates a simplified diagram of a portion of a
memory unit 400 in a reverse firewall located on a network 102 in
accordance with various aspects of the invention. The memory unit
400 may comprise volatile and/or non-volatile memory. The memory
unit 400 may store a set of rules 404, 406 corresponding to the
profile of a host 114 in the network 102. The memory unit 400 may
be part of a network device (e.g., router 112, conventional
firewall 104, computing device 120) configured to enforce a profile
of a host 114 in a network 102. The same network device may also be
configured to enforce a throttling discipline in accordance with
various aspects of the invention. For example, the network device
may be comprised of a programmable router (e.g., router 112)
configured as a reverse firewall. One skilled in the art will
appreciate that the memory unit 400 need not necessarily be
physically located in a network device. Rather, in accordance with
aspects of the invention, the network device may simply access the
memory unit to identify the set of rules corresponding to the
profile of the host in the network.
[0038] In the illustrative embodiment in FIG. 4, the profile 402 of
an internal host may be comprised of PCSPP rules (i.e., a 3-tuple
rule defined by protocol, client, server port, and server profile),
PCSP rules (i.e., a 3-tuple rule defined by protocol, client, and
server profile), and/or PSP rules (i.e., a 3-tuple rule defined by
protocol and server profile). A reverse firewall (e.g., router 112)
with a profile of a host 114 comprising a PCSPP rule 404 may use
that rule 404 to control network communication sent from an
internal source host 114 in the network 102. For example, a reverse
firewall receiving network communication from a host 114 with an IP
address of 1.1.182.1 may allow the communication if the internal
destination host's IP address is 1.1.182.2 and is occurring on port
80 using TCP because that network communication is in the profile
of the source host 114. Similarly, a reverse firewall receiving
network communication from a host 114 may allow the communication
if the destination host's IP address is 1.1.182.2 and is occurring
using UDP because that rule 406 defines that network communication
to be in the profile of the source host 114. In that example, the
profile 402 of the host 114 contained a PCSP rule 406 where the
destination port of the communication was not a factor in
determining whether the communication was in-profile the host or
out-of-profile. Meanwhile, a PSP rule 408 applies to the profile of
all source hosts directed at a given destination host (e.g., host
118 with an IP address of 1.1.182.3).
[0039] A network device configured to enforce a throttling
discipline may be coupled to an out-of-profile counter 410. The
out-of-profile counter 410 may be used to enforce the throttling
discipline. The out-of-profile counter 410 may be comprised of a
number and a timer. In other words, the out-of-profile counter 410
may comprise memory for storing the number of out-of-profile
communications sent from an internal host 114 and circuitry or
computer-executable instructions for use as a clock timer. For
example, in a network 102 comprising a reverse firewall (e.g.,
router 112) and two internal hosts 114, 116 connected to a network
device 112, a memory unit 400 may stored an out-of-profile counter
410 may be provided for each of the hosts 114, 116. In enforcing a
throttling discipline, the reverse firewall may use the
out-of-profile counter to determine whether the threshold level has
been reached. One skilled in the art will recognize that an
out-of-profile counter in accordance with aspects of the invention
may comprise other features, including, but not limited to, a
second clock timer for determining when a block time interval, as
described earlier, has elapsed.
[0040] After through review of the entire disclosure, it will
become apparent to one skilled in the art that there are numerous
practical applications for various aspects of the invention. For
example, a computer-readable medium containing computer-executable
instructions for performing the method diagrammed in the flowcharts
of FIGS. 2 and 3 is contemplated by the aforementioned disclosure.
The computer-executable instructions may be executed by a
processing unit in a reverse firewall or any other device
configured to behave accordingly. The usefulness of aspects of the
invention in such a context is apparent to one skilled in the
art.
[0041] The use of the term "connect" and similar referents in the
context of describing aspects of the invention, especially in the
context of the following claims, is to be construed to require that
a physical connection or direct connection. Furthermore, the terms
"comprising," "having," "including," and "containing" are to be
construed as open-ended terms (meaning "including, but not limited
to,") unless otherwise noted. The use of any and all examples or
exemplary language herein (e.g., "such as") is intended merely to
better illuminate the invention and does not pose a limitation on
the scope of the invention unless otherwise claimed. No language in
the specification should be construed as indicating any non-claimed
element as essential to the practice of the invention.
[0042] Various aspects of the invention have been described in
terms of exemplary or illustrative embodiments thereof. Numerous
other embodiments, modifications and variations within the scope
and spirit of the appended claims will occur to persons of ordinary
skill in the art from a review of this disclosure and any
disclosures incorporated by reference herein.
* * * * *