The present invention relates, in general, to information processing system organization and, in particular, to input and output data processing flow controlling.
A firewall is a device for, or method of, controlling the connectivity of one computer network to another. A firewall is commonly referred to as a packet filter or a gateway and is used, mainly, to provide security for a computer network. For example, a user may wish to have a private computer network be remotely accessible from a public computer network by certain users (e.g., employees) but not by others (e.g., hackers). Here, a firewall may be placed between the private computer network and the public computer network to allow only authorized users to access the private computer network from the public network.
An example of a public computer network is the Internet. Communication over the Internet is conducted using certain protocols. These protocols allow users with different computers and different operating systems to communicate with each other over the Internet. Typical Internet protocols include the Transmission Control Protocol (TCP) and the Internet Protocol (IP). Other Internet-compatible protocols are based on TCP and IP.
In IP, a data stream to be transmitted is divided into a number of packets, where each packet contains the same IP header information. A source address and a destination address of the data stream are added to each packet along with instructions on how to recombine the packets to obtain the original data stream. The source address identifies from where in the network the packet came while the destination address identifies to where in the network the packet is to be sent (i.e., the endpoint, or collection of endpoints, of the data stream). A series of packets, each identified by the same source address and the same destination addresses is commonly referred to as a flow. With these addresses, there is no need for the packet to take the same route to the destination address. By allowing the packets to travel different routes, the sudden unavailability of a transmission path over which previously transmitted packets travelled will not result in an incomplete transmission. Here, subsequently transmitted packets would be sent over a different available transmission path. Since IP does not require data to be sent over a single fixed connection, a network that employs IP is commonly referred to as a connectionless network. A goal of a connectionless network is to increase the probability that a data stream will reach its destination address, but there is a performance penalty (e.g., transmission time, latency, variance of delay, etc.) associated with the additional information added to each packet. To satisfy the need for higher performance, a communication protocol named Asynchronous Transmission Mode (ATM) was developed.
In ATM, communication takes place in two steps. In the first step is to establish a transmission path over which a data stream will be transmitted. Since the data stream will be sent over the established transmission path, ATM is commonly referred to as a connection-oriented network. A signal containing a request to establish a transmission path is transmitted in segments, where each segment is referred to as an ATM cell and, more particularly, as an ATM signalling segment. The transmitted segments are reassembled at the destination address to reconstruct the connection request the connection request is then analyzed to determine whether or not to establish the transmission path.
If the transmission path is established, the second step is to transmit the data stream. The data stream is transmitted in segments, where each segment is also be referred to as an ATM cell but, more particularly, as an ATM data segment. The transmitted ATM data segments are then recombined at the destination address to for the original data stream.
A transmission path may include more than one node or link. For each link in the transmission path there must be two switches, one for the data stream to enter the link and one for the data stream to exit the link. In ATM, information must be maintained that identifies all of the links and switches that comprise the transmission path used to transmit a data stream. Instead of storing all of this information at one location, portions of the information are distributed throughout the network switches along the transmission path.
Information is added to the header of each segment to determine how to forward the cell to the next point, or hop, in the path to the destination address. The header for a segment has only edge-level significance (i.e., hop-to-hop), not end-to-end significance (i.e., source-to-destination). The header does not identify the source or the destination of the segment, but only provides enough information for the segment to be processed at the next hop in the path. Information that identifies the final destination of each segment is not included in the header, since all of the segments transmitted along a given transmission path follow the same route. For this reason, the headers in connectionless networks (i.e., IP) tend to be larger than headers in connection-oriented networks (i.e., ATM). The smaller header sizes and fixed cel sizes of the connection-oriented networks make it easier for the switches to process the information. Therefore, connection-oriented networks tend to be efficient and support high transmission speeds.
Some networks combine IP and ATM by transmitting IP packets over an ATM transmission channel. This is commonly referred to as IP over ATM. Here, an IP packet is divided into segments. Each segment is then made part of an ATM data segment and transmitted over the ATM network as an ATM cell.
Simply combining the capabilities of an ATM firewall with those of an IP firewall does not, necessarily, yield a more efficient or more secure firewall for an IP over ATM network. The present invention is a secure and efficient firewall that applies a security posture to connectionless network data packets (e.g., IP data packets) transmitted over a connection-oriented network (e.g., ATM).
The closest prior art to the present invention appears to be the present inventor""s own previous work published in a paper entitled xe2x80x9cAn FPGA-Based Coprocessor for ATM Firewalls,xe2x80x9d by the IEEE Computer Society, Los Alamitos, Calif., on Apr. 16, 1997, in Proceedings, The 5th a Annual IEEE Symposium on Field-Programmable Custom Computing Machines. The device disclosed in this publication is the subject of a patent application Ser. No. 09/059,041, filed Apr. 13, 1998, entitled xe2x80x9cFIREWALL SECURITY APPARATUS FOR HIGH-SPEED CIRCUIT SWITCHED NETWORKS which is now U.S. Pat. No. 6,141,755.xe2x80x9d
FIG. 1 lists the steps of the method disclosed in the above-identified publication. The first step 1 is initializing a database and a connection-oriented network approved list, where the database contains rules for allowing and denying access concerning connection-oriented network flows, and where the connection-oriented approved list includes approvals of flows carrying ATM signaling information and ATM data.
The next step 2 is receiving a datagram. The present invention uses the term datagram to mean a unit of information. Acceptable units of information for the method of FIG. 1 includes an ATM signaling segment or an ATM data segment.
The next step 3 is identifying the type of the datagram (i.e., ATM signaling segment or ATM data segment).
The next step 4 is allowing the datagram access to the information processing network, recording that the datagram was allowed access to the information processing network, and comparing the connection request contained therein to the database if the datagram is an ATM signaling segment.
The next step 5 is adding the connection request to the connection-orientednetwork approved list if the connection request is approved by the database and returning to the second step 2. If the connection request is not approved by the database then return to the second step 2 without recording anything on the approved list.
The next step 6 is allowing the datagram access to the information processing network, recording that the datagram was allowed access to the information processing network, and returning to the second step 2 if the datagram is an ATM data segment and is on the connection-oriented network approved list.
The next step 7 is discarding the datagram, recording that the datagram was denied access to the information processing network, and returning to the second step 2 if the datagram is an ATM data segment and is not on the connection-oriented network approved list.
FIG. 2 is a schematic of a device 20 that implements the method disclosed in the above-identified publication. The device 20 includes a flow management unit 21, having a first input/output bus 22 for receiving a flow, having a second input/output bus 23 for transmitting a flow, and having a third input/output bus 24. A connection-oriented approved list storage unit 25 has a first input/output bus 26 and a second input/output bus 27. A connection-oriented flow processor 28 is connected to the input/output bus 26 of the connection-oriented approved list storage unit 25 and is connected to the third input/output bus 24 of the flow management unit 21. A flow command processor 29 is connected to the first input bus 27 of the connection-oriented approved list storage unit 25, is connected to the third input/output bus 24 of the flow management unit 21, and has an input/output bus 30. A connection-oriented (e.g., ATM) signaling flow processor 31 is connected to the input/output bus 30 of the flow command processor 29 and has an input/output bus 32. A connection-oriented signaling address database unit 33 is connected to the input/output bus 32 of the connection-oriented signaling flow processor 31. A memory management unit 34 is connected to the third input/output bus 24 of the flow management unit 21 and has an input/output bus 35. A memory unit 36 is connected to the input/output bus 35 of the memory management unit 34.
The method and device disclosed in the above-identified publication are each a firewall that only processes connection-oriented signaling segments and connection-oriented data segments. The inventors of the present invention improved upon their work by inventing a device and method that processes connectionless network segments (e.g., IP packet segments) contained within connection-oriented network cells (e.g., ATM cells).
Other prior art that may be relevant to the present invention includes the following U.S. patents.
U.S. Pat. No. 5,606,668, entitled xe2x80x9cSYSTEM FOR SECURING INBOUND AND OUTBOUND DATA PACKET FLOW IN A COMPUTER NETWORK,xe2x80x9d discloses a device for and method of using a packet filter code that contains rules for determining whether or not a received packet should be allowed or denied access to the computer network. U.S. Pat. No. 5,606,668 requires that each packet received in all cases must be processed in accordance with the accept/reject rules. The present invention does not require that each packet received in all cases be analyzed in accordance with accept/reject rules. The processing burden required for each packet received makes the device and method of U.S. Pat. No. 5,606,668 not as efficient or secure as the device and method of the present invention. U.S. Pat. No. 5,606,668 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,623,601, entitled xe2x80x9cAPPARATUS AND METHOD FOR PROVIDING A SECURE GATEWAY FOR COMMUNICATION AND DATA EXCHANGES BETWEEN NETWORKS,xe2x80x9d discloses a device for and method of screening data in accordance to the level of security required for the data. U.S. Pat. No. 5,623,601 requires an analysis of all of the received data in accordance with a security profile established by a security administrator. The processing burden required for each datagram received makes the device and method of U.S. Pat. No. 5,623,601 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,623,601 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,802,320, entitled xe2x80x9cSYSTEM FOR PACKET FILTERING OF DATA PACKETS AT A COMPUTER NETWORK INTERFACE,xe2x80x9d discloses a device for and method of screening data without adding any information of any network address pertaining to the screening process. This allows the screening system to function without being identified and, thus, more difficult to target by a hacker. U.S. Pat. No. 5,802,320 requires that each packet received be analyzed in accordance with accept/reject rules whereas the present invention does not. The processing burden required for each packet received makes the device and method of U.S. Pat. No. 5,802,320 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,802,320 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,826,014, entitled xe2x80x9cFIREWALL SYSTEM FOR PROTECTING NETWORK ELEMENTS CONNECTED TO A PUBLIC NETWORK,xe2x80x9d discloses a device for and method of a firewall. U.S. Pat. No. 5,826,014 requires that each datagram received be analyzed in accordance with accept/reject rules whereas the present invention does not. The processing burden required for each datagram received makes the device and method of U.S. Pat. No. 5,826,014 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,826,014 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,828,844, entitled xe2x80x9cINTERNET NCP OVER ATM,xe2x80x9d discloses a device for and method of a transmitting an IP data packet, ATM signaling, or ATM data. U.S. Pat. No. 5,828,844 does not disclose an efficient and hacker resistant firewall for receiving IP data packets, ATM signaling, and ATM data as does the present invention. U.S. Pat. No. 5,828,844 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,828,833, entitled xe2x80x9cMETHOD AND SYSTEM FOR ALLOWING REMOTE PROCEDURE CALLS THROUGH A NETWORK FIREWALL,xe2x80x9d discloses a device for and method of allowing remote procedure calls through a firewall if the application server from which the request was made appears on an access control list. The access control list appears to be manually maintained. There does not appear to be any rules for automatically adding an application server to the access control list based on an analysis of the incoming request as in the present invention. U.S. Pat. No. 5,828,833 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,828,846, entitled xe2x80x9cCONTROLLING PASSAGE OF PACKETS OR MESSAGES VIA A VIRTUAL CONNECTION OR FLOW,xe2x80x9d discloses a method of a firewall that applies the accept/reject rules to every packet received that concerns flow management (i.e., signaling rather than data) whereas the present invention does not. The processing burden required for each packet received concerning connectivity makes the method of U.S. Pat. No. 5,828,846 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,828,846 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,835,726, entitled xe2x80x9cSYSTEM FOR SECURING THE FLOW OF AND SELECTIVELY MODIFYING PACKETS IN A COMPUTER NETWORK,xe2x80x9d discloses a device for and a method of a firewall that applies the accept/reject rules to every packet received whereas the present invention does not. The processing burden required for each packet received makes the device and method of U.S. Pat. No. 5,835,726 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,835,726 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,835,727, entitled xe2x80x9cMETHOD AND APPARATUS FOR CONTROLLING ACCESS TO SERVICES WITHIN A COMPUTER NETWORK,xe2x80x9d discloses a device for and a method of a firewall that applies the accept/reject rules to every datagram received whereas the present invention does not. The processing burden required for each datagram received makes the device and method of U.S. Pat. No. 5,835,727 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,835,727 is hereby incorporated by reference into the specification of the present invention.
It is an object of the present invention to allow a datagram access to an information processing network, where the datagram is a unit of information, where the datagram is compared only once, if at all, to a database containing rules for allowing access.
It is another object of the present invention to allow a datagram access to an information processing network, where the datagram is compared only once, if at all, to a database containing rules for allowing access, and where the datagram may be a connection-oriented network signaling segment, a connection-oriented network data segment that does not include a connectionless network packet segment, or a connection-oriented network data segment that does include a connectionless network packet segment.
It is another object of the present invention to allow a datagram access to an information processing network, where the datagram is compared only once, if at all, to a database containing rules for allowing access; where the datagram may be a connection-oriented network signaling segment, a connection-oriented network data segment that does not include a connectionless network packet segment, or a connection-oriented network data segment that does include a connectionless packet segment; and where each allowance or denial of access is recorded.
It is another object of the present invention to allow a datagram access to an information processing network, where the datagram is compared only once, if at all, to a database containing rules for allowing access; where the datagram may be a connection-oriented network signaling segment, a connection-oriented network data segment that does not include a connectionless network packet segment, or a connection-oriented network data segment that does include a connectionless network packet segment; where each allowance or denial of access is recorded; and where a system administrator is alerted if the number of denials for a particular datagram exceeds a user-definable threshold or exceeds a user-definable threshold within a user-definable span of time.
The present invention is a device for and method of accessing an information processing network so that a datagram received that is not already pre-approved or pre-disapproved is compared only once to the rules for acceptance or rejection. A datagram is a unit of information. The present invention only allows access to the information network to datagrams that are either a connection-oriented (e.g., ATM) signaling segment, a connection-oriented data segment that excludes a connectionless network (e.g., WP) packet segment, or a connection-oriented network data segment that includes a connectionless network packet segment.
The allowable datagrams are referred to as segments because they are, typically, only portions of some higher level of information. For example, an ATM signalling segment is a portion of one or more ATM signalling cells that is requesting a certain transmission path be established over which one or more ATM data cells will be transmitted in portions known as ATM data segments. An IP packet is, typically, transmitted in portions as IP packet segments. The segments contain enough information to allow reconstruction of the higher level information entity to which the segments pertain.
Since much computation time is taken up with an exhaustive comparison of a new datagram against the rules for acceptance or rejection, only having to do this comparison the first time a datagram with a particular set of security parameters is encountered results in a maximally efficient firewall. The rules for acceptance or rejection of a datagram are contained within a database that includes rules for accepting connection-oriented network cells, where the term cells include segments of any type, and connectionless network packet segments. The rules may not only be based solely on one type of network (e.g., connection-oriented or connectionless) but also one type of network in relationship to another type of network. No known firewall other than the present invention is know that allows such processing of a datagram.
In the preferred embodiment, the first step is initializing a database, a connection-oriented network approved list, a connectionless network approved list, and a connectionless network disapproved list.
The second step is receiving a datagram. The datagram is a unit of information. The present invention is accepts datagram that are either connection-oriented network signalling segments, connection-oriented data segments that do not include connectionless network packet segments, or connection-oriented data segments that include connectionless packets segments.
The third step is discarding the datagram and returning to the second step if the datagram is not on the connection-oriented network approved list.
The fourth step is determining the type of the datagram (i.e., connection-oriented network signalling segments, connection-oriented data segments that do not include connectionless network packet segments, or connection-oriented data segments that include connectionless packets segments).
The fifth step is allowing the datagram access to the information processing network and comparing the corresponding connection request to the database if the datagram is a connection-oriented network signaling segment.
The sixth step is returning to the second step if the datagram is a connection-oriented network signaling segment and the database denies the connection request of the fifth step.
The seventh step is adding the connection request of the fifth step to the connection-oriented network approved list and returning to the second step if the datagram is a connection-oriented signaling segment and the database allows the connection request.
The eighth step is allowing the datagram access to the information processing network and returning to the second step if the datagram is a connection-oriented network data segment that excludes a connectionless network packet segment and the corresponding connection request is on the connection-oriented network approved list.
The ninth step is computing a flow tag if the datagram is a connection-oriented network data segment that includes a connectionless network packet segment. The present invention is able to allow access to the information processing network to flows that are just connection-oriented network flows, just connectionless network flows that are merely embedded in a connection-oriented network flow for transmission purposes, or connection-oriented network flows that have some relationship with a connectionless network flow (either the connection-oriented network flow in which the connectionless network flow is transmitted or some other connection-oriented flow). This allows the present invention to enforce a security policy within an approved connection-oriented network flow. The present invention is the only device and method that has this capability.
The tenth step is discarding the datagram and returning to the second step if the flow tag is on the connectionless network disapproved list.
The eleventh step is allowing the datagram access to the information processing network and returning to the second step if the flow tag is on the connectionless network approved list.
The twelfth step is comparing the flow tag to the database if the flow tag is not on the connectionless network approved list or the connectionless network disapproved list.
The thirteenth step is discarding the datagram, adding the flow tag to the connectionless network disapproved list, and returning to the second step if the database rejects the flow tag.
The fourteenth, and last, step is allowing the datagram access to the information processing network, adding the flow tag to the connectionless network approved list, and returning to the second step if the database accepts the flow tag.
No other firewall is known that performs this xe2x80x9cone-touchxe2x80x9d approach on connection-oriented network signaling segments, connection-oriented data segments that exclude a connectionless packet segment, and connection-oriented network data segments that include a connectionless packet segment.
The method of the present invention may include a step of recording all allowances of access to the information processing network, recording all discarded datagrams, and alerting a system administrator of any system activity that is worthy of immediate attention.
The device of the present invention that implements the method described above includes a flow management unit, a connection-oriented network approved list storage unit, a connection oriented network flow processor, a first connection-less network flow processor, a connectionless network approved list storage unit, a connectionless network disapproved list storage unit, a flow command processor, a connection-oriented network signaling flow processor, a connection-oriented network signaling address database unit, a second connectionless network flow processor, a connectionless network address database unit, a memory management unit, a memory unit, and a cell identification processor.