The present invention relates to network security, and more particularly to utilizing rule sets associated with network objects for providing network security.
One of the most significant parts of any firewall configuration is what actions are permitted or denied. The decision is based on an action""s parameters such as connection source and destination IP address and host name, user name or group a user belongs to, etc. The current version of the GAUNTLET firewall, as well as other firewalls, uses some variation of xe2x80x9csequentialxe2x80x9d evaluation approach. Rules are combined in a table or a tree. For every new connection, the firewall searches rule space to find the rule that matches the connection""s parameters.
The big limitation of this approach is the inability to support multiple group memberships in any meaningful fashion. It also fails to present a coherent view of configuration in case multiple group membership is present. A common example of multiple group membership is where a user belongs to more than one user group.
With the source based approach, a policy map specifies the IP addresses and the IP ranges that are evaluated sequentially at run time. First, a matching entry is used to retrieve the policy. The policy determines whether the connection should be permitted or denied. For permitted connections each policy contains proxy configuration parameters such as anti-virus on/off, the handoff host address, welcome prompt, etc. IP packet screening exists as an independent facility. The packet-screening rules are evaluated from top to bottom and the first rule that matches is used. The packet screening rules have priority over the policy rules enforced by the proxies.
The advantages of the traditional approach are described immediately above are:
This methodology is very simple and is well understood by administrators of the firewall.
Each policy presents a coherent view of what is permitted or denied for a given source object.
On the other hand, the existing method has significant flaws:
Network policies cannot be applied to individual users or user groups.
Sequential search in a monolithic policy table does not allow policies that reflect a user""s membership in multiple user groups.
Firewall configuration is complicated because packet-screening policies are separated from the proxy policies.
Other approaches to configuration management also exist in the prior art. Firewalls, such as CHECKPOINT, WINGATE and RAPTOR firewalls use what can be loosely described as the xe2x80x9cDecision Treexe2x80x9d based approach. The basic building blocks are logical expressions and actions. Logical expressions are evaluated from top to bottom and the first matching expression becomes the enforced policy. Logical expressions may contain source, destination, user name, user group, protocol, time and any combinations of those. The xe2x80x9cDecision Treexe2x80x9d may have a single level as in the CheckPoint firewall (xe2x80x9cDecision Listxe2x80x9d) or multiple levels as in the WinGate firewall.
The xe2x80x9cDecision Treexe2x80x9d approach presents the following advantages:
The methodology is flexible. For example, a configuration could be built to emphasize destinations rather than the source as main criteria.
User group based policies are supported.
The disadvantages of the xe2x80x9cDecision Treexe2x80x9d approach are:
The model does not allow viewing all rules per a given network object.
Incorrect or incorrectly placed rule can have a negative impact on other rules and in some cases can leave the firewall severely misconfigured.
Multiple user group membership is limited in its scope and can be made meaningful only by carefully tweaking logical expressions. Adding a user to another group may require adding a new expression to the xe2x80x9cDecision Treexe2x80x9d to provide the necessary policy evaluation branch.
There is thus a need for a new method of rule set creation and evaluation.
A system, method and computer program product are provided for affording network security features. A plurality of network objects are identified. Rule sets associated with one or more of the identified network objects are retrieved. Each network object can have one or more rule sets associated with it. Each rule set includes a plurality of policy rules that govern actions relating to the identified network objects. Overlapping policy rules of the rule sets are reconciled amongst the network objects. The reconciled rule sets are then executed.
In one preferred embodiment, each policy rule of the reconciled rule sets includes a rule action. One rule action permits an action relating to the identified network objects. Another rule action denies an action relating to the identified network objects. Yet another rule action conditionally denies an action relating to the identified network objects. Preferably, an action relating to the identified network objects is permitted if no policy rules deny the action, at least one policy rule conditionally denies the action, and at least one policy rule permits the action. As an option, the policy rules denying the action are evaluated first and the policy rules conditionally denying the action are evaluated second. The policy rules permitting the action are evaluated third.
In another preferred embodiment, an action relating to the identified network objects is denied if none of the policy rules permit the action. Further, an action relating to the identified network objects can be denied if none of the policy rules match a request for the action.
As an option, the rule sets can be combined into a single rule set during execution of the reconciled rule sets. As another option, duplicate policy rules of the rule sets can be removed. Preferably, a user such as an administrator of the system or network is notified of conflicting policy rules of the rule sets so that appropriate correction can be made. Further, a protocol configuration enforced by a related proxy can be selected from a hierarchal list if an action is permitted by more than one rule.
In another aspect of a preferred embodiment, a computer program product and a method are provided for establishing network security. A plurality of network objects of a network and a plurality of rule sets are provided. The network objects are associated with the rule sets. The rule sets include a plurality of policy rules that govern actions relating to the identified network objects during operation of the network.
In one preferred embodiment, a user is allowed to associate the network objects with the rule sets via a graphical user interface. In another preferred embodiment, each policy rule of the reconciled rule sets includes a rule action. One rule action permits an action relating to the identified network objects. Another rule action denies an action relating to the identified network objects. Yet another rule action condition ally denies an action relating to the identified network objects. Preferably, an action relating to the identified network objects is permitted if no policy rules deny the action, at least one policy rule conditionally denies the action, and at least one policy rule permits the action. As an option, an action relating to the identified network objects can be denied if none of the policy rules permit the action.