公开(公告)号：US08370919B2

公开(公告)日：2013-02-05

申请号：US11821839

申请日：2007-06-26

申请人： David Abzarian ,  Michael R. Surkan ,  Salahuddin C. J. Khan ,  Amit A. Sehgal ,  Eran Yariv ,  Emanuel Paleologu ,  Gerardo Diaz Cuellar

发明人： David Abzarian ,  Michael R. Surkan ,  Salahuddin C. J. Khan ,  Amit A. Sehgal ,  Eran Yariv ,  Emanuel Paleologu ,  Gerardo Diaz Cuellar

IPC分类号： H04L29/06

CPC分类号： H04L63/029

摘要： A host firewall can determine and consider whether unsolicited traffic is inbound from beyond the edge of the network and allow or block such traffic based at least in part upon this characteristic. In one implementation, an edge traversal parameter can be set on a host firewall rule, which typically includes other parameters such as port, protocol, etc. If the unsolicited traffic received via an edge traversal interface matches a host firewall rule that has the edge traversal criterion, then the firewall does not block the traffic. On the other hand, if the unsolicited traffic received via an edge traversal interface fails to satisfy the edge traversal criterion on any firewall rule, then the firewall blocks the traffic.

公开(公告)号：US20090172774A1

公开(公告)日：2009-07-02

申请号：US12402448

申请日：2009-03-11

申请人： Shirish R. Koti ,  Narasimha Rao S.S. Nagampalli ,  Maxim A. Ivanov ,  Sachin C. Sheth ,  Emanuel Paleologu ,  Yun Lin ,  Eric E. Youngblut

发明人： Shirish R. Koti ,  Narasimha Rao S.S. Nagampalli ,  Maxim A. Ivanov ,  Sachin C. Sheth ,  Emanuel Paleologu ,  Yun Lin ,  Eric E. Youngblut

IPC分类号： G06F21/00

CPC分类号： H04L63/0218 ,  H04L63/0263 ,  H04L63/20

摘要： A method and system for distributing and enforcing security policies is provided. A firewall agent executing at a host computer system that is to be protected receives security policies for the enforcement engines responsible for enforcing the security policies on the host computer system. A security policy has rules that each provide a condition and action to be performed when the condition is satisfied. A rule also has a rule type that is used by the distribution system to identify the security components that are responsible for enforcing the rules. To distribute the security policies that have been received at a host computer system, the firewall agent identifies to which enforcement engine a rule applies based in part on rule type. The firewall agent then distributes the rule to the identified enforcement engine, which then enforces the rule.

摘要翻译： 提供了分发和执行安全策略的方法和系统。 在要被保护的主机计算机系统上执行的防火墙代理接收负责执行主机计算机系统上的安全策略的执行引擎的安全策略。 安全策略具有规则，每个条件在条件满足时提供要执行的条件和操作。 规则还具有由分发系统用于识别负责执行规则的安全组件的规则类型。 为了分发在主机计算机系统上接收到的安全策略，防火墙代理将部分基于规则类型标识适用于哪个执行引擎。 防火墙代理然后将规则分发到所识别的强制引擎，然后执行该规则。

公开(公告)号：US20090007251A1

公开(公告)日：2009-01-01

申请号：US11821839

申请日：2007-06-26

申请人： David Abzarian ,  Michael R. Surkan ,  Salahuddin C.J. Khan ,  Amit A. Sehgal ,  Eran Yariv ,  Emanuel Paleologu ,  Gerardo Diaz Cuellar

发明人： David Abzarian ,  Michael R. Surkan ,  Salahuddin C.J. Khan ,  Amit A. Sehgal ,  Eran Yariv ,  Emanuel Paleologu ,  Gerardo Diaz Cuellar

IPC分类号： G06F9/00

CPC分类号： H04L63/029

摘要： A host firewall can determine and consider whether unsolicited traffic is inbound from beyond the edge of the network and allow or block such traffic based at least in part upon this characteristic. In one implementation, an edge traversal parameter can be set on a host firewall rule, which typically includes other parameters such as port, protocol, etc. If the unsolicited traffic received via an edge traversal interface matches a host firewall rule that has the edge traversal criterion, then the firewall does not block the traffic. On the other hand, if the unsolicited traffic received via an edge traversal interface fails to satisfy the edge traversal criterion on any firewall rule, then the firewall blocks the traffic.

摘要翻译： 主机防火墙可以确定并考虑来自网络边缘的未经请求的流量是否入站，并且至少部分地基于该特性来允许或阻止该流量。 在一个实现中，可以在主机防火墙规则上设置边缘遍历参数，主机防火墙规则通常包括诸如端口，协议等的其他参数。如果通过边缘遍历接口接收的未经请求的流量与具有边缘遍历的主机防火墙规则匹配 标准，那么防火墙不会阻塞流量。 另一方面，如果通过边缘遍历接口接收的未经请求的流量无法满足任何防火墙规则的边缘遍历标准，则防火墙会阻塞流量。

公开(公告)号：US20080289026A1

公开(公告)日：2008-11-20

申请号：US11804409

申请日：2007-05-18

申请人： David Abzarian ,  Eran Yariv ,  Emanuel Paleologu ,  Ian Carbaugh ,  Gerardo Diaz Cuellar

发明人： David Abzarian ,  Eran Yariv ,  Emanuel Paleologu ,  Ian Carbaugh ,  Gerardo Diaz Cuellar

IPC分类号： G06F15/16

CPC分类号： H04L63/0263 ,  G06F8/61 ,  G06F9/44505 ,  G06F21/57 ,  H04L41/0806 ,  H04L41/082

摘要： Embodiments of the invention are directed to a firewall installer that receives a set of configuration instructions for configuring a firewall in a declarative format that describes one or more rules to be implemented by the firewall, and that automatically configures the firewall. Providing a firewall installer that is capable of configuring a firewall based upon declarative input rather than procedural process-oriented input facilitates administration of a firewall by allowing an administrator to specify desired firewall configuration at a higher, declarative level and frees the administrator from the need to specify procedures for implementing configuration changes in the firewall. In one embodiment of the invention, the firewall installer can receive and store input for configuring a firewall even when the firewall is not running, such that the firewall executes on those configuration changes when it next comes online.

摘要翻译： 本发明的实施例涉及一种防火墙安装程序，其接收一组配置指令，用于以说明性格式配置防火墙，该声明性格式描述要由防火墙实现的一个或多个规则，并且自动配置防火墙。 提供能够基于声明性输入而不是过程性过程导向输入配置防火墙的防火墙安装程序，通过允许管理员以更高的声明级别指定所需的防火墙配置，从而有助于管理防火墙，并释放管理员不需要 指定在防火墙中实现配置更改的过程。 在本发明的一个实施例中，防火墙安装者可以接收和存储用于配置防火墙的输入，即使在防火墙未运行时，防火墙安装者也可以接收和存储用于配置防火墙的输入，使得防火墙在下一次联机时对这些配置更改执行。