1. Field of the Invention
The present invention relates to the art of utilizing geographic information as a basis for network access control, specifically, the extraction and analysis of IP protocol attributes for the plurality of packets traversing a data network, resulting in real-time classification of said packets in a manner that facilitates responses based on a set of pre-defined, geographic, security assertions.
2. Background of the Invention
The firewall has long been the de facto standard of network perimeter defense, guarding computer resources from unauthorized access by regulating the transmission of data packets to protected devices according to a rule-set. Presently, most network firewalls perform a diverse range of functions, including Network Address Translation (NAT), support for virtual private networking (VPN), stateful TCP/IP connection tracking, as well as, other sophisticated techniques of analyzing packet and protocol characteristics. One example of such a device is Checkpoint's Firewall-1, a product described by U.S. Pat. Nos. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943.
Generically, firewalls operate primarily by analyzing network traffic using a pre-defined set of rules that determine how data packets are processed. One limitation of firewalls is that their operation is dependent upon the information contained within networking protocols. Information external to a protocol, information not contained within the syntactic construction of a data packet of a specific protocol type, presents a challenge to firewall technology in relation to that protocol in the form of a blind spot. This blind spot constitutes a set of unknowns, various information states that the firewall cannot observe or measure, but must either infer through some mechanism or obtain via interoperation with another device or devices with different views of the network or the given protocol. It should be noted that this problem is not unique to firewalls, but is also affects Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) systems, a weakness systematically documented in Ptacek and Newsham's classic paper, “Insertion, Evasion, and Denial of Service.”
This fundamental limitation has led to the development of diverse firewall technologies in recent years. This technological growth can be characterized, broadly, as following two lines of development, each line addressing the basic “blind spot” limitation through a different technological track.
One line of development has focused on improving the firewall's ability to decode, analyze, and track the state of information passing between computer systems on a data network. This type of technology is often referred to as a stateful packet-filter. One example of technological innovation in the area of protocol processing is Checkpoint's U.S. Pat. No. 5,606,668, facilitating the stateful inspection of TCP/IP segments. This technology addresses the blind spot problem by allowing the firewall to better maintain state between machines communicating through the firewall and by accurately tracking the connection state between systems traversing the firewall.
Checkpoint's Stateful Inspection technology, while a fundamental innovation in the field, addresses the blind spot problem only in part. The position of a device on a network and the information available from its localized point of processing introduces a fundamental myopia that even perfect protocol analysis and session state tracking cannot eliminate. This has led to a second line of evolution within firewall technologies, the development of new species of firewalls designed to address a different dimension of their limitations. This diversification of firewall technology includes Host-based “personal” firewalls, application-layer firewalls, and specialized proxy-firewalls, to give a few examples.
Despite the proliferation of firewall and hybrid IDS/IPS technologies and the protection that these technologies provide there exists a need to regulate network access control for IP networks on the basis of the geographic location of network entities. The inability to preemptively block or otherwise respond to network data packets in real time on the basis of geographic location has been a longstanding limitation of firewall technology. Since the information necessary for determining the geographic location of a datagram or TCP segment is, principally, meta-information external to IP-based protocols, this type of access control has its own unique challenges.
Since the turn of the century, numerous geographic-based IP technologies have emerged, some specifically related to firewalls and access control. One example of a geographically aware firewall technology is described by U.S. Pat. No. 6,839,852, owned by McAfee. This technology is a host-based firewall program described as capable of retroactively tracing the geographic origin of a network event logged by the firewall. However, it does not block inbound or outbound network traffic based on geographic factors and thus still suffers from the same geographic blindness as predecessor technologies.
With the McAfee exception, patented geographic technologies seem to have been mostly developed over the last few years, largely to meet market demands in the area of advertising and marketing, but with interest growing in the application of Internet Geolocation technology to network and application security. A number of patents have been granted to Internet Geolocation companies, most prominently: Digital Envoy, Inc, U.S. Pat. No. 6,757,740, Quova, Inc., U.S. Pat. No. 7,072,963 and U.S. Pat. No. 6,684,250, IBM Inc., U.S. Pat. No. 7,100,204, inventor Cyril Houri, U.S. Pat. No. 6,665,715, and U.S. patent application 20060206624, concerning a technology for determining the geographic location of web resources. Recently, the NSA was also granted a patent related to determining the geographic location of a networked entity, described by U.S. Pat. No. 6,947,978.
Additionally, many companies currently license Internet Geolocation databases containing mappings between IP addresses and geographic information at various degrees of granularity. The application of geolocation technologies to the field of computer and data network security is occurring both commercially and, at a grass-roots level, with the commercial technologies primarily focused on geolocation at the Application-Layer (OSI Model Layer 7) focused mainly to combat the widespread phenomena of Identity Theft and Internet fraud. At the grassroots level, various individuals, organizations, and projects are using geographic information in creative ways, such as D-Shield (www.dshield.org), which utilizes firewall logs voluntarily uploaded by users to create a global picture of network attack patterns and trends. Other individuals and organizations have authored scripts and tools for converting geographic databases and information from Regional Internet Registrars (RIRs) into firewall rules, with notable work being done for the Linux firewall netfilter.
Efforts to adapt existing firewall and Access Control List (ACL) technologies, like routers, to the challenges of enforcing geographic-based rules use a number of techniques, most with serious disadvantages. Conventionally, these approaches have involved a time-consuming manual processes, carried out on a piece-meal basis. For example, creating geographic rules for a firewall typically involves using or writing a Perl script to parse a list, or using an existing database by importing its contents into a SQL-based database, and then using SQL queries to generate firewall rules for the desired regions or countries. These rules are then imported or added into the firewall rule-set or used for modifying SMTP server configurations to reject mail from particular geographic areas. Such processes are time consuming due to the need for precise syntax within the constructed rules, and overall involve a lot of line-by-line proofing or fluency with the use of Unix/Linux regular expressions, as well as, a scripting language, commonly Perl.
Second, existing firewall technologies are largely unsuited for using complete geographic rule-sets, such as a rule set constructed from a RIR delegated list or created from a geographic database, as such rule sets can easily comprise over 100,000 rules. Utilization of geographic rules within firewall or router technologies is only efficiently implemented on a very selective basis due to the information processing demands of very large rule sets. This problem is further exacerbated within enterprise networks that operate at gigabit speeds. As a result, the full benefits of geographic protection are never realized.
Implementing an exhaustive and regimented policy of geographic access control for even a single network device is highly impractical using existing firewall technologies. These performance limitations, coupled with the highly manual volume of administration required to update and maintain a large cumbersome rule-set presently excludes most enterprise networks from realizing the benefits of geographic security controls enforced via access control technology. Due to the limitations in existing technologies to provide effective geographic based network access control we decided to approach the problem area in a different way abandoning the limitations of the firewall and its kin.
We refer to this new technology, as Geographic Threat Protection, or GTP. This technology offers significant benefits for any network protected by a GTP service or device in terms of enhanced defense in depth for network security. Another example of the technology would allow companies to enforce network access control policies where traffic from only the countries they do business with would be allowed. Thus, bandwidth can be saved by blocking unwanted network traffic from countries the company doesn't do business with, in addition, to the multiple security benefits of such a technology.
The creation of GTP technology was driven by events, both recent and historical, and by a realization of vulnerability inherent in the Internet on which both business and government increasingly depend: from Pearl Harbor to 9/11, the United States has occasionally been blindsided by an enemy which strikes without warning. Geographic Threat Protection is a sound defensive measure to prevent sudden and devastating attacks against U.S. companies and US critical infrastructure from the Internet.
We believe that geographic threat protection will make the United States and its corporate and government networks more defensible, less vulnerable to Internet-Based threats. Today's Internet is the fulfillment of the grand dream of open networks, of a world in which a computer in South Africa, or a Pakistan, North Korea, or Poland can communicate with a network in West Texas: any node can exchange information with any other node, seamlessly. What has become increasingly evident over time is that the lack of geographic security controls means any Internet-enabled system is exposed, surrounded, seated in an electronic world without borders, terrain, or obstacles. This is perhaps the strictest definition of an indefensible position. While Firewalls can protect a network from outside access, they cannot regulate such activity on the scale of geographic regions as is done with GTP. Nuclear power, electrical plants, petroleum refining, mass production, commerce, and e-commerce all rely upon a network of interconnected systems in which any node on the network is adjacent. An Internet enabled network is perpetually surrounded, with only the firewall and intrusion prevention system to forestall attack, and these, lack any a priori visibility of the geographic origin of incoming attacks. With geographic knowledge, the vast majority of internet-based attacks can be blocked before they occur. In the latest Internet Threat Report from Symantec, over 70% of attacks detected came from non-US IP addresses, thus, one can see the potential security benefits possible with blocking traffic based on country of origin.