1. Background
The present invention relates to network security systems for securing electronic data transfer connections to a private computer network. The security system of the present invention ensures that harmful or unwanted electronic mail ("e-mail") messages do not enter a network by selectively checking portions of the e-mail.
2. Prior Art
Private computer networks, such as Intranets and enterprise networks, are commonly serviced by one or more server computers that normally provide a particular network function. Some of the more common server computers are file servers and database servers which are responsible for specific functions. A server can have a dedicated function such as receiving and distributing electronic mail messages or e-mail on a network. This type of server, known as a mail server, typically regulates and distributes incoming mail messages to nodes (i.e. users) on the network. It can also controls outgoing mail traffic. The mail server has become an increasingly common entity on many computer networks. This is true because of exponential growth in the use of e-mail both within an enterprise or private network and on the Internet. Individuals, whether at work or at home, are turning more often to electronic mail for communicating with other individuals and entities. As a result, the volume of e-mail traffic on computer networks of all scales and types has increased rapidly over the past several years and with it the security risks to computer networks.
As the name implies, a private network is not always freely accessible to external networks or entities. One way for an external source to gain access to nodes on a private network (a node being an arbitrary entity such as an end user, a printer, or a server), is to go through a server on the network. Gaining access to a network through one of the network's servers depends on the network configuration. A network may be configured such that all e-mail among nodes in the network and e-mail going in and out of the network must be serviced by a mail server alone or by a combination of a mail server and a mail relay.
FIG. 1 is a diagram showing a prior art configuration of a mail server 100 and a mail relay 102 regulating incoming e-mail message 104 to a network 106 from an external source.
Mail relay 102 acts as a gatekeeper for the mail server 100. As such, it is in a particularly vulnerable position because it must be publicly accessible in that external sources wanting to send mail to a node 108 on the private network 106 must be able to access it. Any incoming mail messages first go through the mail relay 102 and are then distributed to nodes on the network by mail server 100. Mail relay 102 has the ability to store or buffer incoming e-mail message 104 and will do so if for some reason the mail server 100 is unable to process mail at a given time (e.g. when the mail server is down or when there is a backlog of mail because of high volume). Thus, mail relay 102 can, at any given time, have stored in its own memory or buffer 110 live (i.e., unread) e-mail messages which have not been distributed to nodes on the network.
This situation, among others, makes the mail relay/mail server configuration particularly vulnerable to attack from external sources. Stated another way, there are no significant barriers from keeping an external source from corrupting e-mail messages stored in mail relay 102 or from transmitting bad messages to its memory 110 which will, at a later time, be relayed to the mail server 100 and, presumably, be distributed on network 106. An intruder may be able to read buffered mail or corrupt the mail stored in the mail relay in some way without letting mail server 100 find out about it. This is just one way of infiltrating a network by gaining access to the network's mail server.
A network's mail server is particularly vulnerable to infiltration given the increasing volume of e-mail traffic within and among private networks. In order to attack a mail server, the intruder must first gain access to the server. As described above, this can be done by manipulating the mail relay. In addition, an intruder can obtain information about the server and send a certain type of e-mail message to it that will cause the server to perform certain functions. Information about a network's mail server can be derived from examining data exchanged through the use of mail transfer protocols or, more broadly, data transfer protocols that use a network mail server. An intruder can examine data in the envelope and headers commonly used in mail transfer protocols to derive Internet Protocol (IP) addresses (i.e., host addresses), and port numbers of the network's entities or can examine other types of messages utilized by certain protocols to learn similar and related information. Once the intruder gains access to the mail server, network security may be jeopardized.
In view of the above, it would be desirable to determine the nature and type of e-mail messages being sent to nodes in a private network before the messages are accepted by the network's mail server for distribution on the network. Through this procedure, the network could reject or translate/sanitize in real time those e-mail messages that may harm the network or are simply undesirable, thereby providing an enhanced and efficient security mechanism for the network.