1. Field of the Invention
The present invention generally relates to network security. More specifically, the present invention relates to a firewall that receives, and is informed by, a security policy that identifies authorized resource sources and content types required by a web server to display a page and blocks anything that is not authorized.
2. Description of the Related Art
Network-based data communications are useful for a variety of tasks, such as sending and receiving emails, browsing Internet webpages, browsing intranet private network portals, sending and receiving instant messages, telephone calls over voice-over-internet-protocol (VOIP) services, and video calls. However, network-based data communications can be dangerous when viruses, adware, spyware, or other kinds of malware are unwittingly transmitted to a user device. Such malware may have been inserted into a web content server by a third party attacker, or may have been injected into a data transmission from the web content server (e.g., via a man-in-the-middle attack) by the third party attacker, or may be sent directly to a client device from the third party attacker.
Typically, firewall systems accept incoming data, filter through the incoming data to identify and block potentially dangerous incoming data, and allow transmission of only data that is safe to transmit. Some firewalls also automatically perform antivirus scans or malware scans of data that the firewall has deemed to be otherwise allowable, which may further be used to block dangerous data in the event that a virus is found.
Virus scanners and malware scanners, while helpful, typically cannot detect all possible viruses or malware. It takes time for virus scanners and malware scanners to be updated to detect new or uncommon viruses or malware, in which time such viruses or malware may pass freely to client systems. Virus scanners and malware scanners may also become compromised by a third-party attacker that has disabled them or crippled them.
Wholesale blacklisting/blocking of certain types of data from being transmitted to a client device (e.g., blocking all executable files, blocking all Java files, blocking all Flash files, blocking all media files) is practiced by some firewalls, and can be effective for certain specialized systems that are only used to perform certain types of tasks that only require receipt of a specific subset of data types (e.g., a server whose only function is to forward text messages). However, such wholesale blocking is problematic in most circumstances, as it may break functionality of certain software applications (e.g. “application store” applications often download executable files) or web pages (e.g., the United States Patent and Trademark Office Private “PAIR” Patent Application Information Retrieval webpage uses a Java applet).
Therefore, there is a need for improved firewall.