Many individual computer users do not understand that there may be many operations going on within their individual computer resource which affect its security. These operations are generally invisible to an unsophisticated user. This invisibility is a result of the fact that computer users typically interface only with the operating system of an individual computer resource and a small number of software applications being run by the operating system of a computer resource in that portion of the operating environment known as the user space. What happens in the other portion of the operating environment of a computer resource, called the kernel space, is generally unseen and left unexplored by those computer users without the competence or desire to explore the inner workings of their computer resource.
Most computer users are completely unaware that whatever they do in the user space enters into the generally unseen portion of the operating environment called the kernel space, even though the major portion of a computer resource's operating system resides in the kernel space. As operating systems have evolved since personal computers became generally available, the working interface actually perceived by the computer user, in the user space, and the operating system of a computer, in both the user space and in the kernel space, has become more and more friendly to the ordinary computer user. This user-friendliness is a result of increased complexity and functionality being added to that portion of the operating system resident in the kernel space.
Not only has increased complexity been added to the operating system resident in the kernel space by those software makers who make and sell computer operating systems, but in addition the wide variety of available hardware devices which can be attached to a computer system often include specialized operating software which simplifies the operation of the hardware device made available to the computer user in the user space. This specialized operating software for hardware devices is downloaded into the operating system resident in the kernel space to assure that the user's difficulty in operating the hardware device is minimized. Similarly, software applications, which are installed by a computer user using that portion of the operating system resident in user space, often include a large block of programming code which makes the software user-friendly. This large block of programming code is then added to that portion of the operating system resident in the kernel space. The danger is that, unbeknownst to the user, the simple attachment of a hardware device to a personal computer or the simple loading of a new piece of software can insert unwanted or malicious programming code into the operating system of an individual computer resource. Unless something unusual happens, the computer user will have no indication that unwanted or malicious programming code has been downloaded into his computer resource.
Consider, for example, the basic model of a single, stand alone, un-networked personal computer with a telephone connection to the internet. If the computer user manually installs a commercially available software application from a floppy disk or CD, or if the computer user downloads a software application into his personal computer from the internet, that software application may include an unwanted or malicious programming code such as a hidden reporting feature which uses the connection of the personal computer to the internet to provide the maker or vendor of the software, or even a third party, with information regarding the frequency of use of the software, information about the user of the software, or in the worst cases, the actual content of data in a secure data storage location. Such information may be sent to the maker of the piece of commercial software or a third party whenever the software is being used, or such information may be stored in the kernel space and transmitted at regular or irregular times and intervals, such as 3:00 am every Sunday morning, or only on the 30th day of months having 31 days, or whenever the user logs onto the internet. The actual transmission or the content of such reports is unseen by the computer user, as most computer users do not monitor, or for that matter, do not even know how to monitor, the information being sent out by their personal computer over the internet. The instructions to send reports back from a computer resource may originate with the vendor of the software to the user, or they may be placed on a CD by the vendor who supplied the CDs to the software application vendor. The simple fact is that the manual installation of a commercial software application as innocuous as a screen saver may significantly add to and change the operating system resident in the kernel space of a individual computer resource.
Consider now a personal computer or individual computer resource connected to a network of personal computers or individual computer resources using the internet for the purpose of sharing licensed software and proprietary data. Access to all of the internet is also provided for all individual computer resources in the network. Software, web pages, and a variety of other information may be downloaded from the internet to the individual computer resources in the network. Just like commercially available software programs that are either manually installed or downloaded from the internet add to or change the operating system resident in the kernel space of an individual computer resource, so too will computer instructions downloaded from the internet add to or change the operating system resident in the kernel space of all individual computer resources connected to the network of individual computer resources. Once again, the simple act of downloading a software application or data from the internet may inject unwanted or malicious instructions into the operating systems resident in the kernel space—which instructions are invisible to the computer user. As previously indicated, the instructions may simply be to report usage of a software application, but once entrance has been gained into that portion of the operating system resident in the kernel space, any aspect of the workings of the operating system resident in the kernel space of the individual computer resource can be added to, modified, or dramatically changed.
Those who seek to gain access to and modify the operating system of the computer resource of another form a particularly dangerous group of computer hackers. These computer hackers have discovered that once entrance has been gained into the operating system resident in the kernel space of an individual computer resource, a wide variety of other changes can be made. Such changes may actually alter the way the operating system resident in the kernel system works. Such changes may be programmed to occur immediately, or the changes may be programmed to occur after being triggered by a specific event or the occurrence of a specific point in time. Such changes to the operating system resident in the kernel space can include disabling or modifying the internal security system portion of the computer operating system or leaving a back door open into the kernel space. This open back door will permit future additions, modifications, or dramatic changes to that portion of the operating system resident in the kernel space. Such dramatic changes may include altering the way the computer processes operating instructions and/or uses data to provide results for the computer user or the basic way the computer saves, manipulates, and reports the results of standard operations involving stored data.
In most business applications, the personal computer resident at the desk of an employee is connected to a proprietary network linking the employee to the business' software and providing access to the business' proprietary data. In this proprietary network, an individual computer resource may be typically connected to a host of other personal computers resident at the desks of other employees located in a small geographical region, or in a state, or in a country, or possibly even around the world. Complex proprietary networks of individual computer resources include sub-networks built around nodes. The sub-network nodes are then interconnected to form massive computer networks available to large numbers of users.
Management of communication within large proprietary computer networks is often done by server computers located at network nodes. The simple inclusion of an individual computer resource into a proprietary computer network provides at least two more paths into the operating system resident in the kernel space of the individual computer resource. The first path is the connection to the proprietary network by which functionalities and proprietary data are shared. The second path into the kernel space of the individual computer resource is the access given to one or more network administrators to control and maintain communications among the various individual computer resources in the proprietary network of individual computer resources.
Because the individual computer resources in a proprietary computer network are continually in contact with one another and are sharing both software and proprietary data, the downloading of unwanted or malicious programming code into the operating system resident in the kernel space of one individual computer resource in a computer network can rapidly be spread to all of the computer resources in the network. It has been estimated that many of the intrusions into the operating systems resident in the kernel space of networked individual computer resources actually originate from within a proprietary computer network. Accordingly, the vulnerability of all of the individual computer resources in a proprietary network is the same as the vulnerability of the least protected individual computer resource in the proprietary computer network. And, with the increased use of network switches and the increasing speeds of communication among the individual computer resources within a proprietary computer network, the problem of protecting the operating system resident in the kernel space of the individual computer resources in a proprietary computer network becomes an increasingly difficult problem to manage for those responsible for security of a proprietary computer network.
As the problem of unwanted intrusion into the operating system resident in the kernel space of a computer is not a new one, there have been several approaches to protecting the operating system resident in the kernel space of an individual computer resource.
The use of the embedded utility of creating an audit trail for security analysis requires that all of the data collected about communication with the operating system must be written to a data storage file, then at some future time, read back into an audit trail analysis program to detect a possible security breach by looking for anomalies in the audit trail data. Of course, the larger the quantity of audit trail data, the larger the data storage file needed to hold the audit trail information.
Hackers, or those seeking to avoid detection by a security utility in an operating system which performs an audit trail analysis to detect security breaches, quickly learned that by turning off the utility in the operating system which creates an audit trail or by deceiving the analysis program which analyzes the audit trail with vast amounts of spurious data, entry could be gained into that portion of operating system resident in the kernel space. Once entry has been gained into that portion of an operating system resident in the kernel space, the hacker can manipulate the operating system to obtain administrator privileges and thereby reconfigure the existing embedded security utility. For example, a hacker with administrator privileges can corrupt the transfer of audit trail data from its storage location to the audit trail analysis program. Such corruption of the audit trail data on its transfer to an audit trail analysis program defeats the embedded security utility of an operating system. It has been found that some hackers are even able to disguise their break-ins and permanently leave a door open into the operating system for future unwanted or malicious intrusions.
Another attempt to protect the operating systems resident in the kernel space of an individual computer resource is by the use of a firewall product. Firewall products, which employ a passive filtering technique to look for data packets matching known security violations or misuse patterns, are typically placed somewhere between a managed proprietary network and an untrusted external source of information such as the Internet. Firewall products attempt to implement security on the perimeter of a proprietary computer network by monitoring all traffic or data packets traveling both to and from the proprietary computer network to determine which data packets can pass into or out of the proprietary computer network and which cannot. Some firewall products can identify suspected break-in events and issue appropriate alarms to a designated one of multiple computer resources in the computer network. Other firewall products may invoke a predetermined action to head off a suspected break-in event. Still other firewall products may trace an attempted break-in event through the creation and analysis of the data produced by an audit trail of all traffic.
A data packet-filtering firewall examines all of the data packets that are encountered, then the firewall product either allows these data packets to pass into an operating system as addressed or drops them based on a predetermined rule set. The network administrator can adjust how data packet filtering is performed by a firewall product, as far as permitting or denying connections to designated computer resources, by establishing filtering criteria in the firewall based upon the source of the data packet, the destination of the data packet, or the type of data contained in the packet.
In addition to data packet filtering, some firewall products offer other useful security features, such as the following:
Stateful packet inspection. State information is derived from past communication with the proprietary network and other software applications to make the decision to allow or deny new attempts to gain entry into a proprietary computer network. With the stateful packet inspection method of security, data packets leaving the computer resource are intercepted by an inspection engine in the firewall product that extracts state-related information. The inspection engine maintains the state-related information in dynamic state tables for evaluating subsequent attempts to gain entry into the proprietary computer network. Data packets are only permitted to pass into the proprietary computer network when the inspection engine in the firewall product examines a list of permitted communications and verifies that the attempt to gain entry into the proprietary computer network is in response to a valid request. The list of connections is maintained dynamically, so only the required ports are opened. As soon as the session is closed, the ports are locked to assure maximum security.
Network Address Translation (NAT). Network Address Translation hides the internal addresses of individual computer resources within the network from public view. This protects an individual networked computer resource from being used for spoofing (a technique for impersonating authorized users by using a valid address to gain access to a proprietary computer network).
Denial-of-service detection. Denial of service detection defends a proprietary computer network against attempts to gain access by techniques known as syn flooding, port scans, and packet injection. Specifically, data packet sequence numbers in TCP connections are inspected. If the data packet sequence numbers are not within expected ranges, the firewall drops the data packets as suspicious data packets. When the firewall product detects unusually high rates of attempted new connections, it issues an alert message so that the network administrator can take appropriate action to protect other computer resources in the proprietary network.
Code Detection. Certain controls known as Java applets and ActiveX controls can be used to hide intelligent agents that can give intruders access to the operating systems of individual computer resources once these controls get inside a proprietary network. With the increasing use of Java applets and ActiveX controls on Web sites, some firewall products offer the means to either deny computer users access to Web pages that contain these controls or to filter such content from the Web pages when these controls are encountered.
Probe detection. Some firewall products offer alarms that are activated whenever probing is detected. The alarm system can be configured to watch for TCP or UDP probes from either external or internal networks. Alarms can be configured to trigger: a) e-mail messages, b) popup windows, or c) output messages to a local printer.
Event logging. Event logging automatically logs system error messages to a console terminal or syslog server. These system event messages enable network administrators to track potential security breaches or other non-standard activities on a real-time basis.
In addition to the foregoing, some firewall products now include automated intrusion-detection tools. One example is the OmniGuard/Intruder Alert offered by AXENT Technologies. The OmniGuard/Intruder Alert includes numerous drop and detect security scenarios. The preconfigured drop and detect security scenarios enable users of proprietary networks to install an automated intrusion detection tool to instantly protect individual computer resources from the most common and dangerous security threats.
The Intruder Alert firewall product uses a real-time, manager/agent architecture to monitor the audit trails of distributed computer systems for footprints which signal suspicious or unauthorized activity on all major operating systems, Web servers, other firewalls, routers, applications, databases, and SNMP traps from other devices connected to the proprietary network of computer resources. Unlike other automated intrusion-detection tools, which typically report suspicious activity hours or even days after it occurs, the Intruder Alert product takes action as soon as a suspicious intrusion is detected to alert network administrators, shut down computer resources, terminate offending sessions, and execute commands to stop intrusions before any major damage occurs. Once an attempted intrusion has been detected, a network administrator can create and quickly implement new security policies for different domains within a proprietary network, thereby implementing additional protection for multiple computer resources. In addition, the Intruder Alert product provides the network administrator with a correlated graphical view of security trends, thereby enabling the network administrator to view and analyze real-time security trends and to drill down for additional details concerning attempts to breach the protection provided by a firewall product.
Even after a firewall network protection solution has been implemented, it is still recommended that owners of proprietary computer networks periodically conduct a comprehensive security-risk assessment. Such security risk assessments assist network administrators in identifying and resolving security breaches before such security breaches are discovered and exploited.
A number of security risk-assessment tools are available, to include a product called Hacker Shield developed and sold by BindView. The Hacker Shield product scans and detects proprietary networks for potential security holes and offers computer users patches or corrective actions to fix the breaches before they become a threat. The HackerShield product also identifies and resolves security vulnerabilities at both the operating-system level and at the network level. This product protects against both internal and external threats. The Hacker Shield product also monitors key system files for unauthorized changes and identifies vulnerable computer user passwords through a variety of password-cracking techniques.
Security risk assessment tools typically provide a detailed report of attempted break-ins and action taken to network administrators. This report describes each vulnerability of the computer network and the corrective action taken as well as a ranking of the vulnerabilities by the risk posed. Network administrators also are given a high-level overview of the vulnerability of the proprietary network and its solution, with an option to link to more detailed explanation and reference materials.
While the value of firewall products for passive monitoring and security of proprietary computer networks is undisputed, firewall products can degrade the performance of individual computer resources and create a single point of network failure. Tasks such as stateful data packet inspection, encryption, and virus scanning require significant amounts of processing capacity. As traffic in and out of a proprietary computer network increases, firewalls can become bogged down. Also, because a firewall product sits directly in the path of data packets, the firewall product itself constitutes a single point of failure. If the firewall product cannot keep up with filtering all of the data packets, the firewall product will stop passing all communications, thereby isolating the proprietary computer network behind it.
Dynamic load balancing switches are used to monitor the health of firewall products through automatic, periodic health checks. These dynamic load balancing switches also monitor the physical link status of the switch ports that are connected to each firewall product. Because the firewall products are no longer directly inline and traffic is evenly distributed among them, the end-user experience is improved. The dynamic load balancing switches automatically recognize failed firewall products and redirect entire sessions through other available firewall products.
Although the use of firewall products provides a formidable defense against many attacks on a proprietary network of computer resources, firewall products are not a panacea for all network security problems—particularly those network security problems that originate from within a proprietary computer network. For example, even if virus scanning is provided at the firewall product, such virus scanning will only protect against viruses that come into the proprietary computer network from outside the computer network—typically from the Internet. Scanning for viruses using firewall products does nothing to guard against the more likely sources of intrusion, such as floppy disks containing unwanted or malicious code that are inserted into one individual computer resource in a proprietary computer network by an authorized user who uploads a program onto a floppy disk, inserts it into an individual computer, and inadvertently (or deliberately) spreads a virus throughout the proprietary computer network.
Accordingly, there remains a need in the art for owners of proprietary networks of individual computer resources to have greater security protection than is provided by embedded security utilities, by firewall products, or by firewall products with automatic intrusion detection tools.