1. Technical Field
The present invention is related to construction of firewalls to screen internal computer networks from the Internet. More specifically, the invention screens incoming data based on content.
2. Description of Related Art
Increased reliance on the Internet in recent years has created a new host of security problems for organizations wishing to exploit this resource. Examples of these problems include the infiltration of computer viruses into internal computer networks, and the downloading of indecent material onto individual workstations. To cope with these problems, organizations have developed several methods for monitoring and controlling the influx of data from the Internet into their internal networks. Each of these approaches has its strengths and weaknesses.
One popular method of filtering incoming Internet data is the use of a firewall, a selective gateway standing between the Internet and an internal computer network. Firewalls can be designed to prevent specific types of data from entering the internal network and have the advantage of providing a centralized point from which administrators can control the influx of data.
A common way of setting up a firewall is to manually insert the address of a particular Internet site into the filtering rules of the firewall. Once a site is listed in the filtering rules, the firewall will automatically prevent electronic documents from that site from entering the internal network. A primary advantage of this method is that specific, objectionable sites can be blocked with certainty. Unfortunately, this approach is also very labor intensive, as it requires administrators to first evaluate the content of an Internet site and then manually add it to the filtering rules. This process diverts administrators from the important job of managing an organization to the mundane job of monitoring Internet access by employees, students, or staff. In addition, the administrator cannot add a site to the filtering list unless he or she knows about it. Considering the size and dynamic nature of the Internet, the administrator is certain to remain several steps behind changes in Internet content.
Another approach is to have the firewall scan the content description language coming in from the Internet and check the tag information within the content description. The tags describe the elements of an electronic document and are used by browser programs to display data properly. If the firewall detects content descriptions that have been added to the filtering rules, the Internet document will automatically be blocked from entering the internal network. Such content filtering reduces the burden on administrators by allowing them to set more general filtering guidelines rather than manually adding individual sites to the filtering rules. A disadvantage of this type of content filtering is the processing burden created by scanning all incoming Internet traffic. Having to scan the content description of all incoming traffic and compare that content to the filtering rules requires considerable processing resources, which must be diverted from other uses.
In addition to firewalls, Internet content may be filtered by using a distributed network, in which Internet content is filtered at the workstation just before it is rendered by the browser. This approach essentially offloads processing tasks from the server onto the client computers, which can substantially degrade performance, especially if the clients are “thin,” having little processing capability themselves. This type of setup generally does not work well in a corporate environment because of the performance degradation and logistical problems of having filtering code distributed among several client machines.
Therefore, an Internet filtering method that allows content to be screened at a central firewall, but does not require heavy processing loads or constant monitoring and input from an administrator, is desirable.