Processing

Please wait...

Settings

Settings

Goto Application

1. WO2020140153 - VISUALIZING FIREWALL-PERMITTED NETWORK PATHS FOR ASSESSING SECURITY OF NETWORK CONFIGURATION

Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

[ EN ]

WHAT IS CLAIMED IS:

1. A computer-implemented method of generating in a display of a user interface a dynamic accessibility diagram representing a firewall configuration of a firewall in a computer network, the method comprising:

receiving the firewall configuration of the firewall, the firewall configuration comprising at least one access control list (ACL) rule, each ACL rule defining:

a remote ACL parameter defining a remote address range outside the firewall;

a local ACL parameter defining a local address range inside the firewall; and

an accessibility rule defining accessibility between the remote address range and the local address range;

generating in the display a pair of concentric rings representing the firewall, the pair of concentric rings comprising an outer concentric ring and an inner concentric ring each comprising at least one ACL parameter segment, each ACL parameter segment of the outer concentric ring representing the remote address range of the remote ACL parameter of at least one of the ACL rules, each ACL parameter segment of the inner concentric ring representing the local address range of the local ACL parameter of at least one of the ACL rules; and

receiving via the user interface a selection of at least one ACL parameter segment as a selected ACL parameter segment;

when the selected ACL parameter segment is in the outer concentric ring: determining at least one remote address range represented by the selected ACL parameter segment as a selected address range; determining at least one ACL rule as a selected ACL rule, wherein the remote ACL parameter defined by the selected ACL rule defines the selected address range; and

determining the local address range of the local ACL parameter defined by the selected ACL rule as a pairing address range;

when the selected ACL parameter segment is in the inner concentric ring: determining at least one local address range represented by the selected ACL parameter segment as a selected address range;

determining at least one ACL rule as a selected ACL rule, wherein the local ACL parameter defined by the selected ACL rule defines the selected address range; and

determining the remote address range of the remote ACL parameter defined by the selected ACL rule as a pairing address range; determining at least one ACL parameter segment as a pairing ACL parameter segment, wherein the pairing ACL parameter segment represents the pairing address range;

generating in the display an accessibility curve joining the selected ACL parameter segment and the pairing ACL parameter segment, the accessibility curve graphically representing accessibility between the selected address range and the pairing address range.

2. The method according to Claim 1 , wherein the selected ACL parameter segment is in the outer concentric ring, the pairing ACL parameter segment is in the inner concentric ring, the selected address range is the remote address range of the selected ACL rule, the pairing address range is the local address range of the selected ACL rule, wherein the accessibility curve represents accessibility between the remote address range and the local address range.

3. The method according to Claim 1 , wherein the selected ACL parameter segment is in the inner concentric ring, the pairing ACL parameter segment is in the outer concentric ring, the selected address range is the local address range of the particular ACL rule, the pairing address range is the remote address range of the selected ACL rule, wherein the accessibility curve represents accessibility between the local address range and the remote address range.

4. The method according to Claim 2 or 3, wherein the accessibility curve represents accessibility of traffic from the remote address range to the local address range.

5. The method according to Claim 4, wherein the accessibility curve has an arrowhead at or adjacent the ACL parameter segment corresponding to the local address range.

6. The method according to Claim 2 or 3, wherein the accessibility curve represents accessibility of traffic from the local address range to the remote address range.

7. The method according to Claim 6, wherein the accessibility curve has an arrowhead at or adjacent the ACL parameter segment corresponding to the remote address range.

8. The method according to any one of Claims 1 to 7, comprising generating a graphical feature of the accessibility curve based on the accessibility rule of the selected ACL rule, whereby the accessibility curve graphically represents the accessibility between the selected address range and the pairing address range.

9. The method according to Claim 8, wherein a colour of the accessibility curve graphically represents the accessibility between the selected address range and the pairing address range.

10. The method according to Claim 9, wherein the accessibility curve is rendered in a first colour when accessibility between the selected address range and the pairing address range is allowed, and the accessibility curve is rendered in a second colour when accessibility between the selected address range and the pairing address range is blocked.

11. The method according to Claim 10, wherein the first colour is green, and the second colour is red.

12. The method according to any one of Claims 1 to 11 , wherein the remote ACL parameter of the selected ACL rule further defines a remote port range, and the local ACL parameter of the selected ACL rule further defines a local port range.

13. The method according to Claim 12, wherein the selected ACL parameter segment or the pairing ACL parameter segment further graphically represents the remote port range or the local port range.

14. The method according to any one of Claims 1 to 13, wherein receiving the firewall configuration of the firewall comprises:

receiving a plurality of standardized firewall configurations corresponding respectively to a plurality of network appliances in the computer network; and

processing the plurality of standardized firewall configurations to identify network security enclaves;

wherein the firewall configuration is a selected one of the plurality of standardized firewall configurations.

15. The method according to Claim 14, wherein receiving the plurality of standardized firewall configurations corresponding respectively to the plurality of network appliances comprises:

accessing each of the network appliances to retrieve an appliance security configuration of the network appliance, the appliance security configuration comprising an appliance firewall configuration, thereby providing a respective plurality of appliance firewall configurations; and

processing each of the appliance firewall configurations to generate a corresponding standardized firewall configuration.

16. The method according to Claim 15, wherein accessing each of the network appliances to retrieve the appliance security configuration of the network appliance comprises accessing at least one of the network appliances over the computer network to retrieve the appliance security configuration of the network appliance.

17. The method according to Claim 15 or 16, wherein first ones of the plurality of appliance firewall configurations are characterized by a first firewall configuration type different from a second firewall configuration type characterizing second ones of the plurality of appliance firewall configurations, and processing each of the appliance firewall configurations to generate the respectively corresponding standardized firewall configurations comprises:

determining a firewall configuration type of the appliance firewall configuration, and processing firewall configuration parameters of the appliance firewall configuration based on an algorithm associated with the firewall configuration type to generate corresponding standardized firewall configuration parameters of the corresponding standardized firewall configuration.

18. The method according to any one of Claims 14 to 17, wherein processing the plurality of standardized firewall configurations to identify network security enclaves comprises identifying corresponding groups of the network appliances accessible over the computer network via a corresponding common network appliance.

19. A computing device comprising a processor, a network interface, and a memory encoding computer-executable instructions executable by the processor to perform the method according to any one of Claims 1 to 18 using the network interface.

20. A non-transient computer-readable medium encoding computer-executable instructions executable by a processor to perform the method according to any one of Claims 1 to 18 using a network interface.