Nowadays, as network security has become one of the major networking technology issues, many vendors offer a wide range of security products, solutions and methodologies.
The most common security solution is the FIREWALL system. A FIREWALL is a system that is based on the TCP/IP standard. According to that standard, a stream of data is actually a collection of packets. Each and every packet has a header that describes that packet. The most important information fields that are included in a packet header are the address of the source (which indicates who sent that packet), the address of the destination (which marks for whom this packet is intended) and the number of that packet in that stream of data. Each and every stream of data may contain a single packet or many packets. While a traditional router normally checks the stream authorization by its first packet header only, the FIREWALL checks each and every packet header. The FIREWALL can stop the streaming as it detects an illegal packet, one whose source or destination is not allowed by the network administrator, even if that packet is not the first one. Moreover, a FIREWALL can limit the streaming into specific ports and disable other ports access. But that kind of security is not enough to protect a trusted network against intrusion.
First, it is a very easy to change a computer TCP/IP address. Suppose somebody knows that the trusted network FIREWALL allows a machine from address X, port Y to communicate with an internal network member at address Z, same port Y. All the intruder has to do is to define its machine address to X, connect it to that network, and send data through port Y to address Z. Not only is changing a TCP/IP address a very easy thing to do, it can be done without leaving any traces.
Second, FIREWALLS always check the port where data came from. Smart intruders know how to use the enabled ports in order to overcome the FIREWALL system. For example, the FTP service is based on two opened ports, one for establishment and one for file transfer. A smart intruder uses the FTP mechanism in order to send data into the network. He follows the establishment process and the first time the file transfer port is enabled, he communicates through this port.
One of the most destructive ways to break into a system is an intrusion by trusted people. According to official research more than 50% of intrusions are caused by configuration errors made accidentally by trusted administrators. An organization network is a very complicated system. It consists of many TCP/IP addresses to be access enabled or denied, many services to be enabled or ignored etc. An error where a specific address becomes accessible to the outside world is not a rare occurrence. All an intruder has to do is to scan the organization addresses and services to find the first address and service that was not hermetically closed, and that address will become the gate where these intruders will come through. Unfortunately, such a situation is not rare, and detection of such an intrusion is very difficult.
Third, as FIREWALL is the only gate through which all communication must pass, that system presence becomes a very sensitive matter. There are cases where the FIREWALL is stopped and the trusted network becomes suddenly unprotected and directly connected to the outside world. Such situations may occur if security software is “crashed”, operating system is “stuck in” (but its communication kernel is running), an administrator disabled the FIREWALL “just for couple of minutes”, etc. The latter situation is very common. An intruder sends many packets of data to the trusted network, into an enabled and accessible address and port. That incoming stream of packets may lead to an overload situation, as the network is required to transfer these packets. If the load is too high, the network delay becomes very high also. It is known that for test and maintenance procedures, as well as problem diagnostic processes, network administrators sometimes disconnect the FIREWALL for a few minutes, in order to check if the problem comes from that device. That is the time when a smart intruder goes inside the net, sends its hostile program into any address and makes it executable.
There are many more situations where the FIREWALL cannot provide a good enough security solution for the trusted network.
A conventional solution to the security problem is a packet filter. A packet filter, whether it is based on a TCP/IP address or a specific service port, cannot be assumed nowadays to be a good solution for content threats. Viruses, Trojan horses and other hostile codes cannot be detected by the packet filter. A packet is the native form of transported data. Packet length may vary independently, packet timing may be spread randomly, the order the packets are received is not necessarily the order they were transmitted, and other native features cause a content detection process to work very hard in order to detect transported hostile applications at packet level.
Many security products use third-party technologies to detect viruses, Trojan horses, Active X or Java scripts. All these products operate while data is moved from one node to another. As it moves, the data transportation delay time becomes a significant factor. Hence, many detection tools cannot exhaust their detection capabilities, as it takes too much time to implement the best detection algorithms. As a compromise solution, these tools look for a set of patterns and “signatures” that already are known as hostile code traces.
Another conventional solution is the application gateway. The concept of this mechanism is to build a gate where applications can send and receive messages. A message is actually a collection of packets. The FIREWALL moves the message to a specific application, usually a third-party one, and that application is required to handle that message, to accept it, to change it or to ignore it.
As was mentioned before, such a mechanism cannot provide the best results offered by current hostile code detection technology. A message, although it represents a closed block of data, may hide part of hostile code, not necessarily one that can easily be detected. As message transportation time is a major factor, detection time becomes important and as a result, all the currently used tools make a relatively superficial test of messages in order to quickly detect patterns and signatures of known hostile applications, as fast as possible.
Accordingly, there is a long felt need for and it would be very desirable to have a system and method for providing a trusted network which permits high detection of hostile applications, prevents unauthorized access and services in the network, while permitting the trusted network to be connected to a non-trusted network which has access to conventional TCP/IP applications.