Networks, such as Intranets, subnets, Internets and WANs are well known today, along with firewalls to control access to local networks, and computers and other devices on local networks. A firewall is a program or device, at a gateway to the local network or within computers on the local network. The firewall may control access to the local network or computer based on a list of “rules” of permitted incoming or outgoing message flows through the firewall. The permitted message flows may be defined by a list of IP addresses of specific computers or networks from which or to which messages are permitted to flow through the firewall, and optionally, respective permitted ports and protocols for such IP addresses for both incoming messages and outgoing messages. If a firewall rule identifies a network (such as a subnet) as a permitted source network or permitted destination network, then all computers on the network are permitted source devices or permitted destination devices, respectively. As known in the industry, an IP address comprises four sets of numbers, with each set separated from the adjacent set by a period. The first three sets of numbers identify a local network. The fourth set of numbers identifies a specific device on the local network. To identify a subnet (including all devices on the subnet), the fourth set of numbers is a “zero”. So, if all computers on a specific subnet are permitted to receive incoming messages or send outgoing messages, the firewall rule would include three sets of numbers for the beginning of the IP address to identify the subnet, and a last set of numbers equal to “zero”.
Over time, systems administrators tend to add to the firewall, additional rules of permitted message flows, so the list of rules generally grows with time. The firewall needs to check every incoming and outgoing message against the rules in the firewall, so a lengthy list of rules will generally slow the flow of messages. Some of the rules may not be needed or may be improper, and they needlessly slow the flow of messages.
Also, occasionally, a server needs to be added to a cluster of existing servers to improve performance of a common application hosted by the cluster of servers. Upon addition of the server to the cluster, rules need to be added to the firewall to allow message flows to the new server in the cluster. It has proven tedious in the past for an administrator to determine and enter these rules for the new server. If a server was added to a cluster or grouping of computers, the firewall administrator will typically use for the added server all the rules from an existing server that belongs to the same cluster. However, a new or existing server may exist within many clusters; therefore the rules used for the new server may include the rules for the servers in all the other clusters to which the new or existing servers belong. This may result in unnecessary or redundant rules that burden the firewall.
An object of the present invention is to identify and delete unneeded rules in a firewall.
Another object of the present invention is to identify and delete improper rules in a firewall.
Another object of the present invention is to automate and improve the process of determining new rules to add to a firewall when a new server is added to a cluster of servers.