Abstract: A personalized firewall or other network gateway is provided by a method of matching a data packet to a rule in a network gateway having a rule base. One or more identification values are determined based on the data packet and property value(s) associated with said one or more identification values are queried and received from a property server. The property value(s) describe for example allowed connections and services for an entity associated with the identification value(s). The property value(s) are compared to at least one rule in the rule base, said at least one rule comprising property value(s) and an action, and the action defined in said at least one rule is taken, if said property value(s) of the rule match corresponding property value(s) associated with said one or more identification values.

Abstract: A method of handling mobile entities in a firewall, wherein a first mobile entity table comprising identifiers of mobile entities, which are active in a firewall, and a second mobile entity table comprising identifiers of mobile entities, which are active in a predefined set of other firewalls and identifiers of corresponding other firewalls, are maintained in the firewall. A new mobile entity, which is not currently active in the firewall, is detected, after which it is found on the basis of the second mobile entity table, if the new mobile entity is currently active in another firewall. If the mobile entity is currently active in another firewall, state information related to the new mobile entity is queried from the another firewall, and stored in the firewall to be used for processing data packets from/to the new mobile entity.

Abstract: The invention provides a centralized VPN management of a plurality of VPN sites by means of a VPN Information Provider (VIP). Management of a VPN device is distributed so that at least part of the VPN configuration is centrally managed without giving away control of the firewall rulebase or other critical local configuration used in the VPN device.

Abstract: The present invention relates to a method of managing a network device, a network device, and a management system. A configuration of a firewall is changed over a network connection by a remote management system (10). The firewall (11) applies the change configuration after receiving a command from the management system (10). Shortly after the changed configuration is applied, the management system (10) takes a new connection to the firewall (11). With this new connection, the configuration is accepted for permanent use in the firewall (11). If a new connection is not successfully set-up within a given time limit, the firewall (11) will automatically return to use the old configuration. Thereby, the firewall (11) is able to restore from any loss of management connection caused by a mistake in the changed configuration.

Abstract: A method of filtering a tunneled data packet including an outer header and an outer payload, the outer payload including an inner data packet including an inner header and an inner payload, where the value of at least one outer header field of the tunneled data packet is matched to a first rule, and the action defined in the first rule is taken. Taking the action defined in the first rule includes detecting the inner data packet within the tunneled data packet, matching the value of at least one field of the inner data packet to a second rule, and taking the action defined in the second rule.

Abstract: The invention provides a centralized VPN management of a plurality of VPN sites by means of a VPN Information Provider (VIP). Management of a VPN device is distributed so that at least part of the VPN configuration is centrally managed without giving away control of the firewall rulebase or other critical local configuration used in the VPN device.

Abstract: The invention relates to methods for selection of packet transmission routes between two network sites in a case, in which the sites are connected to the rest of the network via a plurality of connections each. According to the invention, the source network site is arranged to select which connection is used at the source end and which connection is used at the destination end, and base the selections at least partly on the basis of a round trip time value and a packet success rate value. The selection criteria can advantageously be time dependent.

Abstract: The invention concerns handling in a firewall data communication protocols comprising at least one parent connection and at least one related connection, wherein at least one attribute of the related connection is negotiated within the parent connection. Whether to allow a related connection is decided on the basis of information about the related connection as well as information about the parent connection. The method of the invention comprises allowing a parent connection, storing information about the parent connection, monitoring contents of the parent connection, detecting within the parent connection negotiation of at least one attribute of a related connection, and using said at least one negotiated attribute of the related connection and said information about the parent connection for deciding, whether said related connection is allowable.

Abstract: The invention relates to processing configuration of a network node, such as for example a firewall, and for sharing the configuration management between several administrators. The configuration comprises a processing rule base, which contains rules to be used in the network node for filtering data packets, the rules comprising one or more identification values for identifying a data packet and an action. The configuration of the network node is validated by determining, whether the processing rule base fulfils requirements defined in a validation rule base. The use of validation rule base enables verifying that processing rule bases managed by different administrators fulfil some set requirements. Additionally, the invention accounts for detecting human errors in configurations.

Abstract: In a device having data communication capability, a security method dynamically detecting a control connection, which originates from the device, and detecting a negotiation of a related connection within the control connection. The negotiation comprises at least defining a port of the device for said related connection. The method further checks if relationship between said port of the device and the control connection fulfills predefined criteria, and conditionally blocks said related connection, if said port of the device does not fulfill said predefined criteria. The method can be used for suppressing a vulnerability related to applets.

Abstract: The invention provides an arrangement for managing a network security application comprising a full management user interface for conducting management operations for the network security application, and a limited management user interface for conducting a limited number of management operations of the full management user interface for the network security application over a wireless remote connection.

Abstract: The invention relates to data packet filtering and finding a rule matching a data packet in a rule base. A data packet comprises parameter fields for identifying the data packet, the rule base comprises a plurality of rules, each rule comprises one or more parameter fields, and the matching rule is a rule, whose parameter field values correspond to the parameter field values of said data packet. The matching rule is found by determining rule sets for the data packet, one rule set comprising the rules to which one parameter field value of the data packet can match, and by finding the rule with the smallest label that is present in all said rule sets of the data packet, said rule with the smallest label indicating the rule matching the data packet. Additionally, the invention relates to finding an element with the smallest label that is present in a plurality of finite subsets containing finite number of elements, said subsets being subsets of a set containing finite number of sequentially labelled elements.

Abstract: A computer device which can be connected to a home network and to a foreign network is provided with a local security mechanism, called a personal firewall, for protecting the computer device from attacks from the foreign network, in addition to or instead of a firewall in the internal network which protects the computer when connected to the internal network. The personal firewall is arranged to detect its current location, i.e. to determine the network to which it is connected at each particular moment, and to control its operation accordingly. The current location of the computer device is first determined on the basis of a currently used IP address of the computer device. Then this location determined on the basis of the current IP address of the computer device is verified by carrying out an additional location verification procedure with a predetermined network element.

Abstract: A computer device is provided with a local security mechanism, a personal firewall, for protecting the computer device from attacks from a foreign network, in addition to or instead of a firewall in the internal network which protects the computer when connected to a home network. The personal firewall is provided with different sets of security rules for the home network and foreign networks. The personal firewall is arranged to detect its current location, i.e. determine to which network it is connected to at each particular moment. The personal firewall activates one of the given sets of security rules according to the detected current location of the computer device, i.e. the personal firewall automatically uses the security rules predefined for the network to which the computer device is connected at each particular moment. Upon detecting a change in the location, the personal firewall immediately adapts to use security rules predefined for the new location.

Abstract: The invention relates to the monitoring of the flow of a data stream travelling between a client and a server system. The invention is intended particularly for such communications protocols carrying representation data above some connection-oriented protocol layer. The objective of the present invention is to bring about a flow monitoring mechanism enhancing system security. This is achieved by analyzing a data stream travelling from the server to the client in order to identify at least one response descriptor in the data stream. The identified response descriptors are stored in a set of available states for said client. Then the data stream travelling from the client to the server is analyzed in order to identify at least one request descriptor. The request descriptors identified are compared with the set of available states for said client, and in response to the comparing step, a monitoring result is generated.

Abstract: In a network element cluster having a plurality of nodes, distribution decisions are determined on the basis of certain field(s) of data packets according to predetermined criteria, and data packets are distributed to nodes of the network element cluster according to the distribution decisions. Data packets are processed by said nodes of the network element cluster, and the processing involves selecting at least partly arbitrary value(s) for at least one of the field(s) of at least one data packet. Such value(s) are selected for at least one of said certain field(s) of a third data packet, such that distribution decisions determined according to the predetermined criteria result in the same node in the cluster processing inbound and outbound packets of the same session ID.

Abstract: An intrusion detection system employs a pointer fingerprint method for detecting attempted or successful intrusions into an information system or network. In a pointer fingerprint method, the specific stream of bits searched from the traffic streams is a pointer or part of it that must be included in all working buffer overflow (bof) attacks. This makes it possible to detect also the previously unknown bof attacks.

Abstract: The invention relates to event sequence detection suitable for an intrusion detection system (IDS), for example. An event sequence including two or more stages in order, each of the stages including one or more events, is defined. Also defined is a filtering function for each of the stages, each filtering function providing a TRUE indication, when one of the events belonging to the respective event is received, and a FALSE indication otherwise. Still further at least one binding function for each of the stages is defined such that a pair of binding functions in two successive stages links the events in these two successive stages. Received event data is continuously evaluated with the filtering functions. When the evaluation results in a TRUE indication from one of the filter functions, at least one key value is derived from the received event data by the corresponding at least one binding function.

Abstract: A method (400, 500, 600, 700) for synchronizing state information in a security gateway cluster comprising at least two nodes comprises the following steps. Synchronizing (403) state information by sending state information from a first node of said at least two nodes, detecting (401) in said security gateway cluster a predetermined irregularly occurring action, and initiating (402) synchronization of state information as a response to said action. The state information is sent to at least a second node of said at least two nodes. Corresponding computer program, computer program product, software entities (910, 920), a node (900) of a security gateway cluster (950) and a security gateway cluster are also presented.

Abstract: A method for handling dynamic state information used for handling data packets, which arrive at a network element node of a network element cluster, said network element cluster having at least two nodes and each node handling separate sets of data packets. In a node there is maintained 206 a first, node-specific data structure comprising entries representing state information needed for handling sets of data packets handled in said node. In said node there is also maintained 208 a second, common data structure comprising at least entries representing state information needed for handling sets of data packets handled in one other node of said network element cluster. The contents of said common data structure effectively differs from the contents of said node-specific data structure. Data packets are distributed 202, 204 to nodes of the cluster by means of distribution identifiers allocated 200 to nodes.