Computer systems and related technology affect many aspects of society. Indeed, the computer system's ability to process information has transformed the way we live and work. Computer systems now commonly perform a host of tasks (e.g., word processing, scheduling, and database management) that prior to the advent of the computer system were performed manually. More recently, computer systems have been coupled to one another and to other electronic devices to form both wired and wireless computer networks (e.g., the Internet) over which the computer systems and other electronic devices can transfer electronic data. As a result, many tasks performed at a computer system (e.g., voice communication, accessing electronic mail, controlling home electronics, Web browsing, and printing documents) include the exchange of electronic messages between a number of computer systems and/or other electronic devices via wired and/or wireless computer networks.
However, transmitting and storing information on computer networks, and especially the Internet, raises various security issues. Any computer system using the Internet to store or transfer information is vulnerable to attack from all other computer systems on the Internet. As a result, many entities want to utilize the benefits of the Internet while still protecting their data and computer systems from attack. To meet the need for security on the Internet, a variety of products have been developed.
One product in particular is the “firewall.” Firewalls are used to monitor communication between computer networks. If a firewall detects communication that might be a security risk, the firewall blocks the communication. Firewalls are often used to protect an entity's private network from exposure to the security risks inherent in communication over the Internet. In operation, a private network sits “inside” the firewall. When communication that might pose a security risk to the private network is detected from a device “outside” the firewall, for example from the Internet, the communication is blocked.
Firewalls are therefore advantageous for shielding a private network from harmful communication originating on the Internet. Firewalls can be configured to block communication based on various criteria, including content of the communication and originating address of the communication. It may also be the case that a firewall is configured to block content depending on the protocol that is used. For instance, when using a connection-oriented protocol (like TCP), the firewall is configured to communicate with clients inside the firewall that plan on sending data to, and receiving data from, a machine outside the firewall. In these environments, the firewall acts more like a proxy server, where the firewall establishes a connection with an outside server, on behalf of the client machine, while protecting the identity of the internal machine from the external server. However, when using a connectionless-protocol (like UDP) this security functionality is disabled. Thus, many private networks use firewalls to block communication using connectionless protocols in order to protect the private network.
However, a disadvantage of using firewalls to block communication is that firewalls can prevent useful communication, for example, communication from a computer system outside the firewall that legitimately needs to send communications to a device inside the firewall. For example, a firewall can block communication from one portion of a distributed application (e.g., a Web service) outside the firewall from entering a private network that includes another portion of the distributed application. However, it is important with the ever-increasing number of applications exchanging data on the Internet, that a computer system inside a firewall receives legitimate communication from computer systems outside the firewall.
As previously described, at least to some extent, firewalls can be configured to permit some external communication to pass through to computer systems inside the firewall. For example, a firewall can be configured such that communication to a specified port, for example, port 80, is permitted to pass through the firewall. Thus, a firewall can be configured to permit access to Web based data (e.g., for purposes of Web browsing) on computer systems inside the firewall.
However, as the number and complexity of services inside a firewall increase, maintaining an appropriate firewall configuration becomes more difficult. For example, there may be tens or even hundreds of computer systems inside a firewall and each computer system may include a significant number of services. Communication to different services inside the firewall can be facilitated via various different port numbers. Some of the services may need to accept communication from outside the firewall and other services may not need to accept communication from outside the firewall. Thus, ports for services that need to accept communication from outside the firewall must be configured to allow such communication. On the other hand, ports for services that do not need to accept communication from outside the firewall must be configured to block such communication.
Based on changing operational requirements, the needs of services to accept or not accept communication from outside the firewall can change over time. The firewall may need to be reconfigured each time a new service is added and each time a service's need to accept communication from outside the firewall changes. Accordingly, maintaining an appropriate firewall configuration to satisfy the communication needs of services inside the firewall, while at the same time insuring the security of the services inside the firewall, can consume significant administrator resources.