Automatically recommending firewall rules during enterprise information technology transformation

摘要

A system and computer program product for automatically generating one or more rules during IT transformation for configuring one or more firewall interfaces in a post-transformation target environment include obtaining at least one communication pattern occurring in a pre-transformation source environment, and automatically generating one or more vendor-neutral rules for one or more intended firewall interfaces in a post-transformation target environment based on the at least one communication pattern occurring in the source environment and based on information derived from the target environment.

主权项

1. An article of manufacture comprising a non-transitory computer readable storage medium having computer readable instructions tangibly embodied thereon which, when implemented, cause a computer to carry out a plurality of method steps comprising:
obtaining at least one communication pattern occurring in a pre-transformation source environment by analyzing (i) one or more firewall configuration files and/or firewall log files associated with the source environment, (ii) one or more run-time network flows at the source environment, and (iii) one or more configured dependencies at one or more servers running on the source environment; automatically generating one or more vendor-neutral firewall rules for multiple intended firewall interfaces, on a per-interface basis, in a post-transformation target environment based on (i) the at least one communication pattern occurring in the source environment and (ii) information derived from the target environment, wherein the one or more vendor-neutral firewall rules contain multiple attributes and values associated therewith for configuring flow-control rules on a firewall device that is not specific to any particular vendor, and wherein said automatically generating comprises:
generating a transformed version of the at least one communication pattern by applying source-target host and internet protocol (IP) subnet mapping information to the at least one communication pattern;generating an adjusted version of the at least one communication pattern by incorporating one or more communication requirements associated with the target environment to the transformed version of the at least one communication pattern; andidentifying a subset of the adjusted version of the at least one communication pattern to be utilized for each of the multiple intended firewall interface in the post-transformation target environment; and automatically converting the one or more vendor-neutral firewall rules into one or more vendor-specific firewall rules for the target environment based on information derived from the target environment, wherein the one or more vendor-specific firewall rules comprise commands to be directly used to configure a particular firewall device associated with a particular vendor.