The field of the invention is that of interconnected computer networks.
The openness of computer networks according to the internet protocol affords many opportunities. However, it also implies a share of hazards, network intrusion risks, protection problems. There is hardware and software available for performing packet filtering using the internet protocol. However, controlling this filtering for the application of demanding security policies is difficult and complicated.
The invention relates to a method of simply and automatically generating filters, using the internet protocol, intended to avoid the risks of intrusion of interconnected computer networks.
The terms that will be used hereafter to outline the technical solution according to the invention are defined as follows:
xe2x80x9cnetworkxe2x80x9d designates one or more closed address spaces (according to the topological meaning of the term) of the internet protocol.
xe2x80x9cObjectsxe2x80x9d designate a network""s component. Thus, without this enumeration being exhaustive, objects as understood by this invention are: computers, computer equipment, servers, printers, (physical or logical) networks, (physical or logical) sub-networks, filter equipment, fire-walls, users or user groups, computer applications. An object is characterized by its type and name. E.g., a filtering router is an object type, just like a set of networks is an object type. An object has one or several addresses or one or several closed address spaces.
A xe2x80x9cprotocolxe2x80x9d designates a convention stating the rules and technical specifications to follow in the telecommunication field in order to provide object interoperability.
A xe2x80x9ccommunication protocolxe2x80x9d designates a protocol, such as for instance the internet protocol, defining a data transfer technique.
An xe2x80x9capplication protocolxe2x80x9d or xe2x80x9cservicexe2x80x9d designates a protocol defining a data or command exchange technique for a given application.
A xe2x80x9cclassxe2x80x9d designates all addresses having the same laws of communication. A class can gather other classes. Classes are objects as understood by the present specification of the invention.
A xe2x80x9claw of communicationxe2x80x9d designates a law, which, for the application protocol involved, enables or disables communication between a pair of objects, a pair of classes or a mixed (class, object) pair.
A xe2x80x9csecurity domainxe2x80x9d designates a set of interconnected objects to which apply the laws of communication peculiar to each object of else generic ones.
A xe2x80x9clinkxe2x80x9d or xe2x80x9cconnectionxe2x80x9d designates physical connections (e.g. network cables) linking objects together. A network is a set of interconnected objects.
A xe2x80x9crouterxe2x80x9d designates equipment enabling the interconnection of separate objects.
A xe2x80x9cfilterxe2x80x9d designates the technical means allowing to implement the laws of communication. E.g., programming a router allows to control the possibility of communicating between two separate networks. By extension, a filtering router designates an equipment enabling internet protocol filtering.
The objectives this invention aims at, i.e. simply and automatically generating filters intended to avoid the risks of intrusion of interconnected computer networks, are achieved through a method consisting in iteratively using a graphical interface for:
creating and viewing objects and classes of the security domain,
selecting and viewing the application protocols for which filters are to be created,
drawing at the graphical interface, by means of arrow curves, the laws of communication for each previously selected application protocol.
Drawing such arrow curves representing the laws of communication makes it possible to create simultaneously and instantly the creation of filters associated with the filtering routers and applicable to the objects involved. Therefore, and according to a further step of the method:
the graphical data representing the laws of communication are converted into programming data of the filtering routers.
The inventive method allows the graphical interface to be used for viewing the security policy of the security domain and modifying it if required. Preferably, the laws of communication between objects or classes are modified at the graphical interface by selecting predetermined application protocols.
This invention also relates to a system for simply and automatically generating filters, according to the internet protocol, intended to avoid the risks of intrusion of interconnected computer networks. Said system consists in using a graphical interface associated with a computing terminal and control means interacting with the graphical interface, for:
creating and viewing objects and classes of the security domain,
selecting and viewing the application protocols for which filters are to be created,
drawing at the graphical interface, by means of arrow curves, the laws of communication for each previously selected application protocol.
Drawing such arrow curves representing the laws of communication makes it possible to create simultaneously and instantly the creation of filters associated with the filtering routers and applicable to the objects involved. Therefore, and according to a further step of the method:
the graphical data representing the laws of communication are converted into programming data of the filtering routers.
The inventive method allows the graphical interface to be used for viewing the security policy of the security domain and modifying it if required. Preferably, for the modification of the laws of communication between objects or classes at the graphical interface, the control means comprises means for selecting predetermined application protocols.