1. Field of the Invention
The invention relates to a computer firewall.
2. Description of the Related Art
The majority of local computer networks (LCN) today have access to the Internet. However existing network protocols do not have special internal security features to secure private networks and keep data integrity. Therefore the enlargement of different features and increasing requirements to the network security demand usage of special devices to block selectively information resources and control data exchange between different computer networks.
Network screens are widely used as such devices called firewalls. A network screen is a special network device that is located between two different segments of an LCN in such a way that packets exchanged between these two segments is limited by special filter rules for incoming and outgoing data streams. Such a device may be installed between secured segment of an LCN and a router with one of its ports connected to the Internet. In that case filter rules of the packet traffic may block inbound and outbound activities of a secured LCN including given users, time of day, days of week and months.
An example of existing firewalls is U.S. Pat. No. 5,898,830, which is incorporated herein by reference, that represents a network screen located between two computer networks with transparent network activity for the users of the secured network. For this purpose the network screen supports a configuration of two sets of virtual subscribers. The first set may be addressed only from secured segment and the second one may be addressed only from the opened segment of the network. These two sets are software compatible by the table adequacy of their network addresses as it is done for DNS servers. Provisioning and restriction for the data packets from a virtual subscriber with one set of addresses to the virtual subscriber with another set of addresses is done in accordance with the rules of packets filtration that are kept in the configuration file of the network screen.
Virtual subscribers, except one that is especially devoted to this purpose, do not have access to the system files and other system resources of the device used as a network screen. A control program module provides configuration of the network screen and, more particularly, creation of virtual users in accordance with the configuration files written when the device was started. Access to these configuration files can be provided using the rules of authorization function by a special virtual user addressed from the computer network. These rules include check of identity and authorization of the user that made a request. When this access is provided, the configuration file of the network screen that controls data exchange between computer networks may be modified. Transparency of this screen to the network level protocols does not mean that this network screen cannot be discovered using special software tools. Since a set of secured network units is screened by one network interface on the channel level of the network activity, each of these units is identified by the physical address of this network interface.
The procedure of identification of the network subscriber used to get access to the configuration file is not secured against intruders. That means the possibility of unauthorized access exists by trying different passwords or using hidden software holes.
Another known device used for similar purposes is SunScreen Secure Net 3.1, which is a product of Sun Microsystems. This device contains a firewall that has a so-called ‘stealth mode’ when no logical (IP) addresses are used for external data exchange. The SunScreen Secure Net has a network address translation function that enables a screen to map an internal network address to a different external address, masking the identity of machines within the enterprise. When packets pass between an internal host and a public network, their IP addresses are replaced with new addresses transparently, checksums and sequence numbers are corrected and the state of the address map is monitored. Administrators can specify when a packet using ordered network address translations is applied based on source or destination addresses. This device still uses physical (MAC) addresses of subscribers, for example for ARP requests for VPN tunnel functions. This means that from the inside the secured network stealth interface is completely visible.