A business's computer network servers are protected by a border router, which hosts a firewall. The firewall checks and filters each incoming data packet, based an access control list programmed in the firewall. The access control list identifies the source and destination computer Internet Protocol (IP) addresses as well as destination computer port addresses. The firewall rejects al packets based on the source computer IP address, destination computer IP address and the destination computer port address that are listed in the access control list.
The header of the incoming data packets contains the source computer IP address, the destination computer IP address, and the destination computer port. IP denotes a unique address of every computer on a network and the port denotes the connection to a specific application of the computer.
The identification of source of a packet is in the form of an IP address, and is created and can be changed or altered to be set to any value by the source computer. Therefore, the destination computer cannot truly know where the packet came from or which computer it originated from. This is how spurious and harm causing data packets are sent to a computer over which the destination computer has no control since it cannot really authenticate the source of the data packet.
Therefore, a border router/firewall functions by checking each packet and filtering out those packets that are not for approved destination ports and did not come from a source IP and are not for a given destination IP as specified in the access control list. There are other types of firewall that may be placed before an application server that check for unauthorized or spurious content that is specific to that application in the packet.
In addition to the protection using border router/firewall to filter out data packets as described above, prior art teaches that the source authentication for each computer session between a source and a destination computer is performed using a user id and password. However, password is considered a weak form of authentication by the Information Security Experts as this form of authentication can be easily compromised.
Since there is no certainty that the sender of these data packets is who it says it is, the prior art may allow entry of data packets into a network that are harmful to a destination computer.
The industry solution to this state of weakness in protecting a network from harm has been to build an Intrusion Detection System (IDS). The IDS is a software function that is deployed on a server inside the network and monitors or sniffs all data packets traveling in the network. The IDS, copies all data packets in the network and applies rule and signature based logic to detect threat scenarios and alert the system managers that an attack may be taking place.
In the IDS approach, the data packets that cause harm have already entered the network in spite of the border router/firewall and the user authentication with a password. The IDS is a complex approach and does not work all the time creating many false alarms. It is so complex, that many businesses have hired other businesses to send them all the data traffic to a remote facility and let them monitor the data packets, thus also creating an issue of confidentiality of data going to another business.
Many businesses use card/token based strong (two-factor) source authentication in current systems for network access security. In card/token-based systems of access security, each employee of a business is given a card and a card reader. At the time of log in, the employee uses the card and a personal number in conjunction with the card to as well as a password to authenticate to the business computer system. The card/token based access control system is costly, has operational security and logistical issues, and therefore, is not widely used by businesses. Therefore businesses are using only a one-factor (password) authentication for establishing security of a session.
In light of the above, it is an objective of the present invention to have an apparatus and methods for network access security that does not have the deficiencies of the prior art as described above.