Typically, various organizations protect their internal networks by means of a firewall, which connects the internal network of the organization to public networks and filters and selectively discards the data packets entering and exiting the internal network according to predefined rules. Thus, a firewall is a gateway which operates at the same time as a connector and a separator between the networks in a sense that the firewall keeps track of the traffic that passes through it from one network to another and restricts connections and packets that are defined as unwanted by the administrator of the system. Physically a firewall is a machine with appropriate software to do the tasks assigned to it. It can be a router, a personal computer (PC), or whatever that can be used for such purposes.
Frequently, the filtering rules of a firewall are expressed as a table or list (rule base) of rules comprising data packet characteristics and related actions. Data packet characteristics are parameter values that are obtained from header field of a data packet and may be e.g. source IP (Internet Protocol) address, destination IP address and service (or protocol) or some other values. The action gives information about how to handle a data packet, which corresponds the data packet characteristics defined in the respective rule (i.e. which matches the rule). This means that for a data packet, which has the header information indicated in a rule, the action indicated in the rule is carried out. In a firewall, the action is typically deny or allow, which means the data packet is discarded or allowed to proceed, correspondingly.
The rules of a rule base are examined in certain order until a decision how to process the data packet is reached. The order of the rules in the rule base typically defines the order in which characteristics of a data packet are compared to the rules, that is, the rules are examined one by one from the beginning of the rule base. When a rule, to which the characteristics of a data packet match, is found, the action that is related to that rule is taken and often there is no need to continue examining the rules. However, the action defined in the rule may be continue, in which case examining the rule base is continued from the next rule, or jump, in which case examining the rule base is continued from the rule specified in the jump action. The action of the firewall may be as well reject, which is similar to deny action. The difference is that deny action results in simply discarding the data packet and in reject the sender of the data packet is notified of discarding the data packet.
FIG. 1A illustrates as an example a rule base 10, having 5 rules. In each rule, a rule number, source IP address SRC ADDR, destination IP address DST ADDR, service (or protocol) and action are defined. However, this is only an example structure of rules, and also some other data packet characteristics may be defined in the rules. The rule #1 allows HTTP (Hyper-Text Transfer Protocol) data from any address to a server with IP address 172.16.1.10. All other HTTP traffic is denied with rule #2. That is, if HTTP traffic does not match the rule #1, it is denied. Rules #3 and #4 allow FTP (File Transfer Protocol) traffic from network 10.1.1.0 to FTP server at IP address 192.168.1.15 and Telnet connections from network 10.1.1.10 to any address, respectively. The firewall rule bases are commonly designed to prohibit all that is not expressly permitted in the rules. Therefore, the last rule in the rule base is usually designed to deny any data packet. Rule #5 in the rule base 10 is such rule, that is, it denies data packets of related to any service from any source address to any destination address. So, if a data packet does not match any of the first four rules, it matches this last one and is denied.
In summary, when a data packet is received in the firewall, some of the header field values of the data packet are compared to the rules, which are stored in the firewall, and when a matching rule is found, the action related to the matching rule is taken.
In a stateful firewall, information about connection history is maintained. In general, a data packet opening a connection is compared to the rules in the rule base, and if the data packet is allowed, a state is created for the opened connection. The state is created by making into a connection state table an entry that includes information for identifying the connection (e.g. source and destination address, ports and/or protocol), and the state of the connection. Other than data packets opening a connection are then compared to the connection state table and allowed, if a corresponding entry is found and the data packet is in accordance with the state of the connection. At the same time the state of the connection in the connection state table may be updated. If a corresponding entry is not found in the state table, the data packet may be compared to the rules in the rule base and possibly allowed on the basis of rules or simply discarded. Stateful inspection makes processing of data packets belonging to open connections faster than simple packet filtering on the basis of rules. Additionally, state of the connections (the data packets that have already been allowed and possibly their content) can be taken into account in processing data packets, which makes stateful firewall more secure than simple packet filter. Therefore stateful processing is desirable.
Data packet tunneling is a technique in which a data packet is encapsulated within another data packet. This means, that an additional outer header is attached to the original data packet, and the original data packet including its header(s) is transmitted as payload of the outer data packet. FIG. 1B shows a schematic diagram of a tunneled data packet, that is, of a data packet encapsulated within another data packet. Therein the data packet having an outer header HEADER_tunnel 112 has as its outer payload PAYLOAD_tunnel a data packet consisting of an inner header HEADER_orig 114 and an inner payload PAYLOAD_orig 116. At the end of the tunnel the data packet is decapsulated, that is, the outer header is “pealed off” the data packet and the original data packet is revealed.
Traditionally, the main reasons for using tunneling have been enabling transport of non-IP packets (such as IPX) in IP networks, transporting encrypted data packets and enabling connectivity between networks over a network which does not allow the use of addresses used in the communicating networks. With regard to transferring encrypted data packets, a data packet (including header) may be for example encrypted in a gateway, tunneled to another gateway, which decapsulates the tunneled data packet and decrypts the contents for obtaining the original data packet for delivery to the designated recipient.
Tunneling encrypted data packets is used for example in connection with IPsec (Internet Protocol Security), which is especially useful for implementing virtual private networks (VPN).
Other tunneling mechanisms are for example Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). PPTP is a protocol (set of communication rules) that allows corporations to extend their own corporate network through private “tunnels” over the public Internet. L2TP is an extension of the PPTP used by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the Internet. Additionally, there are other vendor-specific tunneling solutions.
Traditionally many of the connections within the tunnels (data inside the tunnel) were either encrypted, and therefore not accessible by an intermediate gateway element, or not understood by an IP firewall. Due to these features, firewalls have not been able to or required to filter data packets within tunnels. Instead filtering has been conducted on the tunnel level (on the basis of the headers of the outer data packet).
Mobile IP is a protocol for enabling an entity to change its point of attachment to the Internet without changing the IP address it is using. That is, an entity can use the same IP address even if its location in the network changes. From the network point of view, this means that the path used to deliver the traffic for the entity can change. Mobile IP creates a need for tunneling standard IP packets encapsulated in IP packets. IP-OVER-IP is a protocol for encapsulating IP packets to IP packets and is used for example in mobile IP. In the following some features of mobile IP are presented.
Traditionally, IP address of an entity uniquely identifies the entity's point of attachment to the Internet. Therefore, the entity must be located on the network indicated by its IP address in order to communicate using the IP address. Otherwise, the data packets destined to the entity by using its IP address would not be deliverable.
According to mobile IP, each mobile node (or entity) is always identified by its home IP address, regardless of its current point of attachment to the Internet. When the mobile node (MN) is outside its home network and therefore not directly reachable by its home IP address, a care-of address, which provides information about its current point of attachment to the Internet, is assigned the mobile node in addition to the home IP address. The care-of address may be the IP address of a foreign agent (FA) located in the network the mobile node is visiting or it may be a co-located care-of address, which is an address of the network the mobile node is visiting, which is dynamically assigned to the mobile node (e.g. by means of DHCP, Dynamic Host Configuration Protocol). The mobile node registers the care-of address with a home agent (HA) in its home network by sending a Registration Request message (UDP, User Datagram Protocol, data packet to port 434) to which the home agent responds with a Registration Reply message in IPv4, which is the “current” version of Internet Protocol. In IPv6, which is the next generation of Internet Protocol, the registration is done by means of specific Extension Headers. FIG. 1C shows the fields of an example IPv6 data packet. For example Extension Header 121 can be used for registering the care-of address by means of Binding Update and Binding Acknowledgement Destination Options. When the mobile node is in its home network, it communicates with other entities by using its home IP address normally. When the mobile node is outside its home network, that is, in a foreign network, other entities still reach the mobile node by using its home IP address. After the home agent has been notified that the mobile node is in a foreign network with a Registration Request message/Binding Update Destination Option giving the mobile nodes current care-of address, the home agent intercepts the data packets destined to the mobile node's home IP address. The home agent then encapsulates these data packets to data packets destined to the mobile node's care-of address (tunnels data packets) for delivery to the mobile node. If the care-of address is the address of the foreign agent, the foreign agent is the endpoint of the tunnel and it decapsulates the data packet and delivers the original data packet to the mobile node. Similarly, if the care-of address is a co-located care-of address, the mobile node is the endpoint of the tunnel and it decapsulates the data packet for obtaining the original data packet. The mobile node sends reply packets directly to the other end. In IPv6, the mobile, node sends reply packets by using its care-of address as source address, and attaches its home address to a Home Address Extension Header. In this way the data packets are routed correctly (correct source address) and the other end is able to identify the mobile node by extracting the static home address form the Home Address Extension Header. After this the other end may communicate directly with the mobile node; this is done by using the care-of address of the mobile node as a destination address, but including also mobile node's home address in data packets in a Routing Extension Header.
The methods of mobile IP are deployed also in General Packet Radio Service (GPRS). GPRS Tunneling Protocol (GTP) is the protocol used between GPRS Support Nodes (GSNs) in the UMTS/GPRS backbone network. It includes both the GTP signaling (GTP-C) and data transfer (GTP-U) procedures. In GPRS, special support nodes called Gateway GPRS Support Nodes (GGSN) and Gateway Serving GPRS Support Nodes (SGSN) are deployed. SGSNs provide the direct access point for GPRS phones, subtending from GGSNs that provide the gateway to SGSNs across mobile networks that the user may visit. The GGSN also is the access point for other packet data networks, such as Internet, and therefore enabling communication between “normal” IP networks and GPRS devices. GTP is used to forward packets from GGSN to SGSN to reach a mobile device, dynamically setting up tunnels between GGSN and its home network and allowing the mobile unit to have its home network served beyond the GGSN Internet Gateway.
Thus there is an increasing amount of tunneled data packets containing data packets that can be understood by firewalls. However, with current methods matching a data packet within a tunneled data packets to rules is difficult, since both the outer and the inner header need to be examined and matched. This requires that a separate rule is defined for each possible combination of the outer and inner header. The reason for this is that in general, the aim is to filter the connection inside the tunnel (the inner data packet), but in order to filter the inner data packet also the characteristics of the outer header need to be taken into account. Then again, one connection may be transferred in a plurality of different-tunnels, and therefore a plurality of different combinations needs to be considered in the rules.
In addition the tunnel in which a connection is transferred may change without terminating the connection. In this case, if a stateful firewall has accepted the combination of the tunnel and connection (outer and inner header characteristics) and included it into its connection state table, the firewall inevitably fails the connection after change of the tunnel, since after the change the combination of the outer and inner header has changed.
FIGS. 2A and 2B show two different scenarios of how a firewall has been able to process data packets transferred within a tunnel. In FIG. 2A, firewall 204 connects internal network 200 to public network 202 and conveys data packets between a first entity 206 in the internal network and a second entity 208 in the public network. The data packets from the first entity destined to the second entity are transferred as “normal” data packets though a normal connection 210 from the first entity to the firewall. The firewall intercepts the data packets, filters them and if they are allowed, tunnels them to the second entity through a tunnel 212. The firewall may also encrypt the original data packets before tunneling them. In the other direction, the firewall receives tunneled data packets, decapsulates them and then filters them. Thus, the firewall is filtering the inner data packet and does not need to take care of the outer data packets in the filtering process. This scenario is suitable for VPN for example. But this scenario clearly does not suit for situation where the tunnel starts at some other point than the firewall.
In FIG. 2B, firewall 214 connects the internal network 200 to the public network 202 and conveys data packets between a first entity 216 in the internal network and a second entity 218 in the public network. The data packets from the first entity destined to the second entity are transferred to the firewall in a tunnel 220. The firewall is the endpoint of this tunnel and thus it intercepts the data packets and decapsulates them. After this the firewall filters the data packets and if they are allowed, tunnels them to the second entity through a tunnel 222. That is, the firewall acts as an endpoint of one tunnel and starting point of another. Thus, the firewall is filtering the inner data packet and does not need to take care of the outer data packets in the filtering process. The disadvantage of this method is that it is not transparent to the users. For example, the first entity 216 needs to be aware of the firewall 214 and its IP address in order to be able to create the tunnel 220 to the firewall.
Due to deficiencies described above, a method for transparently filtering connections within a tunnel is needed.