1. Technical Field
The present invention relates to remotely accessing hosts through a firewall and more particularly to remotely accessing hosts through a stealth firewall.
2. Related Art
Internet security has increasingly become the focus of both corporate and home computer users who participate in globally accessible computer networks. In particular, with the availability and affordability of broadband Internet access, even within the home, many computers and small computer networks enjoy continuous access to the Internet. Notwithstanding, continuous, high-speed access is not without its price. Specifically, those computers and computer networks which heretofore had remained disconnected from the security risks of the Internet now have become the primary target of malicious Internet hackers, crackers and script kiddies, collectively referred to as “unauthorized intruders”.
Notably, many such unauthorized intruders continuously scan the Internet for Internet Protocol (IP)addresses and ports of vulnerable computers communicatively linked to the Internet. At the minimum, those vulnerable computers can experience nuisance damage such as accessed, deleted or modified files or defaced Web pages. Yet, at the other extreme, for the unsuspecting end-user, their computer can become the launch pad for more malicious attacks which can cripple whole segments of the Internet.
In response to this security threat, firewalls have grown in popularity. Firewalls no longer are devices reserved for the sophisticated network administrator. Rather, firewall manufacturers now distribute personal firewalls both in hardware and software form. In fact, personal firewalls also have been integrated into many personal routers marketed to the home consumer. The term, “firewall”, connotes many types of devices. Two particular devices commonly associated with the term, “firewall”, include the application proxy and the packet filtering gateway.
While application proxies are widely considered to be more secure than packet filtering gateways, their restrictive nature and performance limitations have hindered their adoption. As a result, application proxies largely are deployed in order to limit the type of data traffic emerging from a protected network rather than the type of data entering into a protected network. Packet filtering gateways, by comparison, are often deployed in those networks in which incoming data is a concern and in which data throughput is an important criteria.
Packet filtering gateways operate by intercepting incoming data packets destined for a device in a protected network. Upon intercepting an incoming packet, the packet filtering gateway can determine whether a request to transmit data to the device is a permissible request. More particularly, the packet filtering gateway can identify in the request a destination IP address and a selected port. If the transaction is permissible, the packet filtering gateway will notify the requesting device accordingly by transmitting an “acknowledgment” (ACK) signal and engaging in a process known in the art as a “three-way handshake ”. In contrast, if the transaction is not permissible, the packet filtering gateway will notify the requesting device accordingly by sending a “reset” (RST) signal.
FIG. 1A is a schematic illustration of a conventional firewall architecture in which requests (SYN) 100A to access the protected network 120A are transmitted from a device 130A over the Internet 140A. The network requests 100A are either granted or denied by the firewall 110A in a response 150A based upon associated packet filtering rules. If granted, an ACK signal is transmitted to the device 130A. Conversely, if denied, an RST message is transmitted to the device 130B. Notably, firewall 110A can be a “stateful” firewall whose packet filtering rules can be applied to a history of received access requests 100A.
A stateful firewall performs packet filtering not on the basis of a single packet, but on the basis of some historical window of packets on the same port. Although stateful inspection may enhance the level of security achievable using packet filtering, stateful inspection heretofore is a relatively unproven technology. Furthermore, although a historical window of packets may enable the filter to more accurately identify harmful packets, the filter must still know what type of pattern to look for in order to identify an intruder. Developing a stateful packet filter with sufficient intelligence to handle an almost infinite variety of possible packets and packet sequences has proven to be an exceedingly difficult task.
There are well-known deficiencies associated with those firewalls as illustrated in FIG. 1A. Specifically, an unauthorized intruder probing a protected network can identify open ports in a network simply by progressively scanning each port in the target network. If the port is “open”, the firewall will report the port as such. Even if the firewall denies access to the scanned port, however, the very fact that the firewall denied the request can indicate to the unauthorized intruder that a firewall is present. In this way, the unauthorized intruder can target the firewall using well-known methods to determine its manufacturer, model name and model number. Once the manufacturer, model name and model number of the firewall has become known to the unauthorized intruder, documented security flaws in the firewall can be exploited. Hence, it is preferable that a firewall remain difficult to detect when present in a network.
Stealth firewalls have characteristics that inhibit their detection in a network. As illustrated in the schematic diagram of FIG. 1B, a stealth firewall 110B has the characteristic of ignoring a SYN request 100B rather than providing an ACK or RST message in response to the SYN request 100B. By ignoring particular inbound SYN requests, though in violation of the TCP/IP protocol, an impression is created that the firewall and the network behind the firewall does not exist at the I P address associated with the access request.
Still, there are many reasons why remote access from a previously unspecified network location to a device in a protected network would be desirable. For example, it can be helpful for a remote user to access a home network to monitor the status of an alarm system, or to access a video camera in the home. A suitably fielded stealth firewall, however, would block such attempts at establishing a connection.