1. Field of the Invention
This invention pertains generally to firewall systems. More particularly, the invention is a method and apparatus for adding and updating protocol inspection knowledge/information to a firewall during operation and without interrupting firewall services. The invention allows inspection modules to be added and updated to the firewall system without requiring a service restart.
2. The Prior Art
Firewalls are known in the art. In general, a firewall is a combination of hardware and software which limits the exposure of a computer or group of computers to an attack from outside. The most common use of a firewall is on a local area network (LAN) connected to the global information network, known as the Internet. Without a firewall, anyone on the Internet could theoretically connect to the corporate LAN and retrieve and/or transmit information to computers on the LAN. A firewall provides services which enforce a boundary between two or more networks. In the above example, a firewall would enforce a boundary between the LAN and the Internet.
A traditional firewall is implemented through a combination of hosts and routers. A router can control traffic at the packet level, allowing or denying packets based on the source/destination address or the port number. A host (or application gateway), on the other hand, can control traffic at the application and/or network level, allowing control based on a more detailed and protocol-dependent examination of the traffic.
Firewall technology based on the packet filtering method authorizes traffic on the basis of address and port. For example, in the case of FTP file transfer, the firewall may allow an external server to open a connection to send data to an internal host. FTP is an example of a protocol that requires intelligence in the firewall to analyze the end-to-end communication. Some protocols, such as the one used in multimedia conference applications, could be extremely complex. Other application protocols requiring analysis of the end-to-end communication may be introduced at any time. In prior firewall art, the intelligence to analyze application protocols is statically embedded in the firewall.
However, there are disadvantages associated with embedding this protocol knowledge in the firewall code. First, the firewall will typically have only static knowledge of protocol information. That is, the firewall will only have knowledge of the protocol information embedded therein which is ascertainable during the startup process of the firewall. Once started, the protocol knowledge of firewalls is fixed. Because of the growth of the Internet, new protocols are constantly being developed, particularly in the field of streaming media. Because the knowledge of the firewall is fixed after startup, the knowledge of these new protocols can not be easily added to the firewall during runtime, thereby increasing the risk of exposing the internal network, especially if the firewall has to be manually configured to relax its filtering capability to accommodate new protocols.
Currently, the primary method for adding or updating the protocol knowledge of a firewall requires restarting the firewall process. In operation, a user of the firewall would acquire a new version of the firewall code containing intelligence to support new protocols and then restart this new code. During the startup process, the firewall is able to ascertain the knowledge of the new loaded protocol(s). However, as is known in the art, the firewall services are not available during the restart process, thereby reducing the overall protection to the network, particularly if the firewall process is restarted often.
Another method for updating the protocol knowledge of the firewall comprises using a script to download protocol information to the firewall. While the use of script allows some flexibility in adding packet filtering intelligence at runtime, this approach is limited to the capability of the base firewall system to support the script. If a new protocol requires support going beyond what the base firewall system can support, or if such protocol is so complex that it cannot be expressed in a scripting language, then not only new scripts have to be added but also the base firewall capability has to be enhanced. When the base firewall capability requires such enhancement or modification, the disruption associated with implementing such enhancements or changes in the firewall services must also be overcome, which, as noted above, is not currently addressed by prior art methods.
Accordingly, there is a need for an apparatus and method which provides for the adding and updating of protocol knowledge to a firewall at runtime. The present invention satisfies these needs, as well as others, and generally overcomes the deficiencies found in the background art.