A firewall is a device for, or method of, controlling the connectivity of one computer network to another. A firewall is commonly referred to as a packet filter or a gateway and is used, mainly, to provide security for a computer network. For example, a user may wish to have a private computer network be remotely accessible from a public computer network by certain users (e.g., employees) but not by others (e.g., hackers). Here, a firewall may be placed between the private computer network and the public computer network to allow only authorized users to access the private computer network from the public network.
An example of a public computer network is the Internet. Communication over the Internet is conducted using certain protocols. These protocols allow users with different computers and different operating systems to communicate with each other over the Internet. Typical Internet protocols include the Transmission Control Protocol (TCP) and the Internet Protocol (IP). Other Internet-compatible protocols are based on TCP and IP.
In IP, a data stream to be transmitted is divided into a number of packets, where each packet contains the same IP header information. A source address and a destination address of the data stream are added to each packet along with instructions on how to recombine the packets to obtain the original data stream. The source address identifies from where in the network the packet came while the destination address identifies to where in the network the packet is to be sent (i.e., the endpoint, or collection of endpoints, of the data stream). A series of packets, each identified by the same source address and the same destination addresses is commonly referred to as a flow. With these addresses, there is no need for the packet to take the same route to the destination address. By allowing the packets to travel different routes, the sudden unavailability of a transmission path over which previously transmitted packets travelled will not result in an incomplete transmission. Here, subsequently transmitted packets would be sent over a different available transmission path. Since IP does not require data to be sent over a single fixed connection, a network that employs IP is commonly referred to as a connectionless network. A goal of a connectionless network is to increase the probability that a data stream will reach its destination address, but there is a performance penalty (e.g., transmission time, latency, variance of delay, etc.) associated with the additional information added to each packet. To satisfy the need for higher performance, a communication protocol named Asynchronous Transmission Mode (ATM) was developed.
In ATM, communication takes place in two steps. In the first step is to establish a transmission path over which a data stream will be transmitted. Since the data stream will be sent over the established transmission path, ATM is commonly referred to as a connection-oriented network. A signal containing a request to establish a transmission path is transmitted in segments, where each segment is referred to as an ATM cell and, more particularly, as an ATM signalling segment. The transmitted segments are reassembled at the destination address to reconstruct the connection request. the connection request is then analyzed to determine whether or not to establish the transmission path.
If the transmission path is established, the second step is to transmit the data stream. The data stream is transmitted in segments, where each segment is also be referred to as an ATM cell but, more particularly, as an ATM data segment. The transmitted ATM data segments are then recombined at the destination address to for the original data stream.
A transmission path may include more than one node or link. For each link in the transmission path there must be two switches, one for the data stream to enter the link and one for the data stream to exit the link. In ATM, information must be maintained that identifies all of the links and switches that comprise the transmission path used to transmit a data stream. Instead of storing all of this information at one location, portions of the information are distributed throughout the network switches along the transmission path.
Information is added to the header of each segment to determine how to forward the cell to the next point, or hop, in the path to the destination address. The header for a segment has only edge-level significance (i.e., hop-to-hop), not end-to-end significance (i.e., source-to-destination). The header does not identify the source or the destination of the segment, but only provides enough information for the segment to be processed at the next hop in the path. Information that identifies the final destination of each segment is not included in the header, since all of the segments transmitted along a given transmission path follow the same route. For this reason, the headers in connectionless networks (i.e., IP) tend to be larger than headers in connection-oriented networks (i.e., ATM). The smaller header sizes of the connection-oriented networks make it easier for the switches to process the information. Therefore, connection-oriented networks tend to be more efficient and support higher transmission speeds than connectionless networks.
Some networks combine IP and ATM by transmitting IP packets over an ATM transmission channel. This is commonly referred to as IP over ATM. Here, an IP packet is divided into segments. Each segment is then made part of an ATM data segment and transmitted over the ATM network as an ATM cell.
Simply combining the capabilities of an ATM firewall with those of an IP firewall does not, necessarily, yield a more efficient or more secure firewall for an IP over ATM network. The present invention is a secure and efficient firewall that applies a security posture to connectionless network data packets (e.g., IP data packets) transmitted over a connection-oriented network (e.g., ATM).
The closest prior art to the present invention appears to be the present inventor's own previous work published in a paper entitled “An FPGA-Based Coprocessor for ATM Firewalls,” by the IEEE Computer Society, Los Alamitos, Calif., on Apr. 16, 1997, in Proceedings, The 5th Annual IEEE Symposium on Field-Programmable Custom Computing Machines. The device disclosed in this publication is the subject of a patent application Ser. No. 09/059,041, filed Apr. 13, 1998, entitled “FIREWALL SECURITY APPARATUS FOR HIGH-SPEED CIRCUIT SWITCHED NETWORKS.”
FIG. 1 lists the steps of the method disclosed in the above-identified publication. The first step 1 is initializing a database and a connection-oriented network approved list, where the database contains rules for allowing and denying access concerning connection-oriented network flows, and where the connection-oriented approved list includes approvals of flows carrying ATM signaling information and ATM data.
The next step 2 is receiving a datagram. The present invention uses the term datagram to mean a unit of information. Acceptable units of information for the method of FIG. 1 includes an ATM signaling segment or an ATM data segment.
The next step 3 is identifying the type of the datagram (i.e., ATM signaling segment or ATM data segment).
The next step 4 is allowing the datagram access to the information processing network, recording that the datagram was allowed access to the information processing network, and comparing the connection request contained therein to the database if the datagram is an ATM signaling segment.
The next step 5 is adding the connection request to the connection-oriented network approved list if the connection request is approved by the database and returning to the second step 2. If the connection request is not approved by the database then return to the second step 2 without recording anything on the approved list.
The next step 6 is allowing the datagram access to the information processing network, recording that the datagram was allowed access to the information processing network, and returning to the second step 2 if the datagram is an ATM data segment and is on the connection-oriented network approved list.
The next step 7 is discarding the datagram, recording that the datagram was denied access to the information processing network, and returning to the second step 2 if the datagram is an ATM data segment and is not on the connection-oriented network approved list.
FIG. 2 is a schematic of a device 20 that implements the method disclosed in the above-identified publication. The device 20 includes a flow management unit 21, having a first input/output bus 22 for receiving a flow, having a second input/output bus 23 for transmitting a flow, and having a third input/output bus 24. A connection-oriented approved list storage unit 25 has a first input/output bus 26 and a second input/output bus 27. A connection-oriented flow processor 28 is connected to the input/output bus 26 of the connection-oriented approved list storage unit 25 and is connected to the third input/output bus 24 of the flow management unit 21. A flow command processor 29 is connected to the first input bus 27 of the connection-oriented approved list storage unit 25, is connected to the third input/output bus 24 of the flow management unit 21, and has an input/output bus 30. A connection-oriented (e.g., ATM) signaling flow processor 31 is connected to the input/output bus 30 of the flow command processor 29 and has an input/output bus 32. A connection-oriented signaling address database unit 33 is connected to the input/output bus 32 of the connection-oriented signaling flow processor 31. A memory management unit 34 is connected to the third input/output bus 24 of the flow management unit 21 and has an input/output bus 35. A memory unit 36 is connected to the input/output bus 35 of the memory management unit 34.
The method and device disclosed in the above-identified publication are each a firewall that only processes connection-oriented signaling segments and connection-oriented data segments. The inventors of the present invention improved upon their work by inventing a device and method that processes connectionless network segments (e.g., IP packet segments) contained within connection-oriented network cells (e.g., ATM cells).
Other prior art that may be relevant to the present invention includes the following U.S. patents.
U.S. Pat. No. 5,606,668, entitled “SYSTEM FOR SECURING INBOUND AND OUTBOUND DATA PACKET FLOW IN A COMPUTER NETWORK,” discloses a device for and method of using a packet filter code that contains rules for determining whether or not a received packet should be allowed or denied access to the computer network. U.S. Pat. No. 5,606,668 requires that each packet received in all cases must be processed in accordance with the accept/reject rules. The present invention does not require that each packet received in all cases be analyzed in accordance with accept/reject rules. The processing burden required for each packet received makes the device and method of U.S. Pat. No. 5,606,668 not as efficient or secure as the device and method of the present invention. U.S. Pat. No. 5,606,668 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,623,601, entitled “APPARATUS AND METHOD FOR PROVIDING A SECURE GATEWAY FOR COMMUNICATION AND DATA EXCHANGES BETWEEN NETWORKS,” discloses a device for and method of screening data in accordance to the level of security required for the data. U.S. Pat. No. 5,623,601 requires an analysis of all of the received data in accordance with a security profile established by a security administrator. The processing burden required for each datagram received makes the device and method of U.S. Pat. No. 5,623,601 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,623,601 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,802,320, entitled “SYSTEM FOR PACKET FILTERING OF DATA PACKETS AT A COMPUTER NETWORK INTERFACE,” discloses a device for and method of screening data without adding any information of any network address pertaining to the screening process. This allows the screening system to function without being identified and, thus, more difficult to target by a hacker. U.S. Pat. No. 5,802,320 requires that each packet received be analyzed in accordance with accept/reject rules whereas the present invention does not. The processing burden required for each packet received makes the device and method of U.S. Pat. No. 5,802,320 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,802,320 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,826,014, entitled “FIREWALL SYSTEM FOR PROTECTING NETWORK ELEMENTS CONNECTED TO A PUBLIC NETWORK,” discloses a device for and method of a firewall. U.S. Pat. No. 5,826,014 requires that each datagram received be analyzed in accordance with accept/reject rules whereas the present invention does not. The processing burden required for each datagram received makes the device and method of U.S. Pat. No. 5,826,014 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,826,014 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,828,844, entitled “INTERNET NCP OVER ATM,” discloses a device for and method of a transmitting an IP data packet, ATM signaling, or ATM data. U.S. Pat. No. 5,828,844 does not disclose an efficient and hacker resistant firewall for receiving IP data packets, ATM signaling, and ATM data as does the present invention. U.S. Pat. No. 5,828,844 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,828,833, entitled “METHOD AND SYSTEM FOR ALLOWING REMOTE PROCEDURE CALLS THROUGH A NETWORK FIREWALL,” discloses a device for and method of allowing remote procedure calls through a firewall if the application server from which the request was made appears on an access control list. The access control list appears to be manually maintained. There does not appear to be any rules for automatically adding an application server to the access control list based on an analysis of the incoming request as in the present invention. U.S. Pat. No. 5,828,833 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,828,846, entitled “CONTROLLING PASSAGE OF PACKETS OR MESSAGES VIA A VIRTUAL CONNECTION OR FLOW,” discloses a method of a firewall that applies the accept/reject rules to every packet received that concerns flow management (i.e., signaling rather than data) whereas the present invention does not. The processing burden required for each packet received concerning connectivity makes the method of U.S. Pat. No. 5,828,846 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,828,846 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,835,726, entitled “SYSTEM FOR SECURING THE FLOW OF AND SELECTIVELY MODIFYING PACKETS IN A COMPUTER NETWORK,” discloses a device for and a method of a firewall that applies the accept/reject rules to every packet received whereas the present invention does not. The processing burden required for each packet received makes the device and method of U.S. Pat. No. 5,835,726 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,835,726 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,835,727, entitled “METHOD AND APPARATUS FOR CONTROLLING ACCESS TO SERVICES WITHIN A COMPUTER NETWORK,” discloses a device for and a method of a firewall that applies the accept/reject rules to every datagram received whereas the present invention does not. The processing burden required for each datagram received makes the device and method of U.S. Pat. No. 5,835,727 not as efficient and secure as the device and method of the present invention. U.S. Pat. No. 5,835,727 is hereby incorporated by reference into the specification of the present invention.