Computer networks and the online sharing (including reception and dissemination) of data have added significant convenience in conducting individual, consumer, and corporate activities. Unfortunately, however, such convenience also brings added risk of unauthorized access to data, and particularly sensitive data.
Computing users ranging from individuals to large corporations often employ computer networks comprised of various computing and so-called “smart” devices, such as desktop and laptop computers, tablets, smart phones, smart televisions, smart appliances, and the like, interconnected to form local area networks (LAN). LAN's today typically rely upon a firewall, router, switch or gateway to interconnect to a wide area network (WAN), such as the Internet. Typically, these devices provide static firewall settings that are based upon configured rules which determine the Internet Protocol (IP) traffic that may enter into or leave the LAN. These firewalls are static in nature, are difficult to interface with, are rarely modified by the user, and are themselves typically discoverable by entities in the WAN. They rely on user input and provide limited information about the data that enters or exits the LAN, maintaining basic log information that is hard to share outside of the firewall and which, therefore, is typically ignored.
More sophisticated firewalls are costly and are typically only available to larger networks, since they generally require a sophisticated user to establish the appropriate rules used to allow or deny communications.
Software firewalls are also available on many operating systems, but these firewalls typically only protect one specific node on the network (i.e., the computer running the particular operating system that includes the firewall).
In the home market, these firewalls are static in nature. For hardware-based firewalls, the end user must remember the IP address assigned to the firewall. This generates an unwieldy interface, and therefore they are rarely modified. As a result, desired traffic is often blocked. For example, this happens often with individuals interested in playing internet- or LAN-based games. The user is typically asked to disable software-based firewalls when playing such games, thus removing the protection of the firewall at a critical point of vulnerability. To avoid this annoyance, firewall settings are left open and too much traffic is allowed, presenting the opportunity for virus contamination.
Thus, because these firewalls require users to statically modify the rules associated with them, they are infrequently modified and the rules are loosely defined so as to allow multiple types of activity. This results in poor protection and difficult user interfaces for the “technically challenged.”
This phenomena explains the plethora of hacker scenarios, whether network-initiated or client-side in nature. The very porous nature of today's firewalls make them less likely to detect and stop data loss associated with current hacking capabilities.
Firewall settings and policies are determined by the end user. As stated previously, because these are hard/awkward/inconvenient to change, the end user typically keeps the settings loose, undermining the firewall's protection.
More recently, firewalls have been known to apply more dynamic policies based upon the data traversing the network—essentially trying to learn the user's habits and keeping the firewall protection tight when it detects traffic deviations. But this practice still relies on the LAN network patterns, while stronger protection should rely on a broader set of data and statistics.
Because firewall settings and policies must be configured by the end user or network manager, requiring some skill in cybersecurity policies, the firewall settings in home and small business environments are not robust enough to provide adequate protection.
The user provisioning interfaces that maintain this static data must be used in advance of internet activity. Again, because of the nuisance factor associated with this approach, the firewall settings are often very loose or even wide open.
Software-based firewalls typically provide user-notifications, but they require software installed on the end-user LAN node to present such notifications, cannot interact with third parties on behalf of end-user nodes, and only protect a single node on the network in such a fashion.
Many networks combine loose static settings on hardware-based firewalls with more robust settings on software-based firewalls.
However, home networks may include network nodes that are not managed by an end user. The introduction of multiple internet-capable devices has made the hardware/software combination untenable. For example, a home network with computers, phones and tablets may have other network elements: e.g., internet-capable TVs, baby monitors, thermostats and home security systems. In the future, various appliances will also likely be capable of internet activity, and none of these systems are expected to have software-based firewalls, leaving security gaps in this combination approach.
Further, in small business environments, the employee typically lacks the time, motivation or knowledge to properly maintain software firewall settings. And current systems do not provide the network security manager of the business with the ability to serve as a third party to manage the firewall settings on behalf of the employees, again leaving security gaps in the combination approach.
Moreover, hardware-based firewalls are network nodes on the LAN. Because they have IP addresses that are, by definition, discoverable by the outside world, clever hackers can typically scan such firewalls and determine the type of firewall protecting the LAN. This allows the hacker to identify specific types of cyber exploits which can compromise the firewall, resulting in network penetration and data loss.
Likewise, hardware-based firewalls provided for home and small-business environments typically only provide logs that the user can peruse to determine the state of traffic on the LAN. Reviewing such logs requires logging into the router (an infrequent task). A limited set of state information of various nodes on the network may be available, but there is no visualization presentation of the network and no analysis of data traffic.
Some analysis and visualization is available through complementary software packages that can assess the data traffic of the router, assuming that the router supports the sharing of its data (e.g., a router may have to be put into “promiscuous mode” in order to share its data with another node on the network which would do the data analysis). This type of analysis requires Information Technology (IT) knowledge not often found in the end user/network manager, particularly in a home environment.
Furthermore, firewalls focus on defending against unknown incoming traffic. For web browsing and other LAN to WAN activities to be unimpeded, firewalls are often configured to allow all outgoing traffic. Client-side attacks happen when the end user unknowingly initiates a connection to a malicious server through email or insecure browsing, thus completely bypassing the firewall.
Even if a firewall did block outgoing malicious traffic associated with a client-side attack, the malicious software that initiated the traffic would not be detected or quarantined. Instead, the malicious software would continue to send communications attempts to a WAN IP address.
Firewalls are configured by end users via configuration interfaces accessed either via web services (for hardware-based systems) or via a custom-software interface (for software-based systems). As such, their configurations can be accessed remotely should a hacker gain access an end-user node within the LAN.
This is a common technique for cyber attacks. Gaining password access to the firewall gives access to the firewall configuration. Many home and small business firewalls are installed by Internet Service Providers, and they often want remote access so that they can assist the user or override the firewall settings. Such access opens the door to cyber attacks that attempt to impersonate the ISP or the end-user, thereby rendering the entire firewall open to bypass techniques.
Previous efforts have been made to monitor data flowing into and exiting from a network for purposes of detecting and preventing data theft and unauthorized access. For example, U.S. Pat. No. 7,890,612 of Todd et al. discloses a method and apparatus for regulating network data flow that uses a device to intercept network traffic and analyze such traffic to detect various threats. The Todd et al. device includes a single central processing unit that administers the analytical functions to detect threats, and attempts to make the device undetectable by requiring that all updates to the device, such as definitions of what does and does not comprise a threat, are carried out through a physical interface, as opposed to allowing remote access through, for example, an addressable element on the device having its own IP address. While such device may be useful for the detection and blocking of certain threats, it does little to provide instantaneous visibility into the nature of the threat or to allow users to closely monitor the types of threats being experienced by various elements of the local network that the device is intended to protect. Likewise, the requirement for a physical interface to provide updates to threat definitions renders it difficult for administrative users to provide urgent updates when necessary, but is necessary in the device of Todd et al. to prevent detection of the device to computers outside of the local network that is under protection. Further, U.S. Pat. No. 8,176,544 of Keanini et al. describes a network security system having a device profiler that monitors network nodes and identifies vulnerabilities, in an effort to allow network traffic monitors and a firewall to protect the network elements. Still further, U.S. Pat. No. 9,369,370 of Chow et al. describes a network management device that collects operational condition information about a LAN and WAN, such as network congestion, power consumption, bandwidth utilization, security breach, network intrusion, faults, usage patterns, performance measures, and connection quality, and generates diagnostic reports relating to such conditions. Even further, U.S. Pat. No. 8,893,278 of Chechik describes a gateway positioned between a user computer and a WAN, which gateway monitors attributes of data transmissions to determine and identify malware transmissions. Malware attributes are maintained by a separate “behavior server.” Finally, PCT App. Pub. No. WO 2016/014178 of Heilig describes a method for detecting malicious network activity, which method uses network “taps” to collect and compare incoming and outgoing data packets on individual network elements to identify unauthorized data packets. The disclosures of each of the foregoing are incorporated herein by reference in their entireties.
Despite such prior efforts, there remains a need in the art for an easily implemented computer security device that is capable of monitoring all data traffic flowing into and leaving from a local network that is to be protected, while remaining wholly undetectable to the outside world, but that allows remote access for easy and quick updating of threat definitions and full visibility into both the nature of the threat and identification of the local network elements that are under attack or threat of attack.