1. Field of the Invention
The present invention relates generally to the field of computer security systems and, more particularly, to a firewall that regulates access and maintains security of individual computers linked to wide area networks (WAN).
2. Description of the Related Art
Personal computers were initially used primarily as stand-alone units having no direct connections to other computers or to computer networks. Exchanging data among these first computers was mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, computer users began to connect their personal computers to other personal computers by using Local Area Networks (LAN), thereby enabling groups of computer users to share peripherals and to share data between their computers. In this environment, maintaining security and controlling the information that a personal computer user could access over the LAN was relatively simple because the overall computing environment was limited and clearly defined within the LAN.
Then came the Internet. The development of the Internet has provided personal computers, either as stand-alone units or through a Local Area Network (LAN), access to vast stores of information, typically through web “browsers”, such as Microsoft's Internet Explorer® or Netscape Navigator®. Browsers and other Internet applications have the ability to access a URL (Universal Resource Locator) or “Web” site. Access to the Internet with its vast stores of information is now essential for businesses to stay competitive, for consumers to stay informed, for many people to communicate with each other through e-mail or other forms of Internet communication, and for a myriad of other reasons, including entertainment.
Unfortunately, along with the benefits of having computer access to the Internet come a variety of dangers. These dangers include, for example, attacks by perpetrators (hackers) capable of damaging the computer system or stealing data and programs, and attacks by viruses and “Trojan Horse” programs that infiltrate a computer. Additionally, legitimate applications may send personal information to marketers without the knowledge of the user. These dangers were minor and infrequent before computer users started to connect to the Internet.
The software industry has introduced many products and technologies to address these dangers in an attempt to protect computers that access the internet. The technologies and products that the software companies have introduced focus on keeping outside hackers, viruses and “Trojan Horse” programs from penetrating the computer system or network, and include, for example, proxy servers and firewalls. Firewalls are applications that intercept the data traffic at a gateway to a wide area network and check the data packets (i.e., the Internet Protocol packets, or the IP packets) for suspicious or unwanted activities. Some firewalls additionally conduct a “stateful inspection”, wherein the firewall not only looks at the IP packets but also looks at the transport protocol (e.g., TCP) header and even at the application program protocols, in an attempt to better understand the exact nature of the data exchange. Proxy servers are usually combined with a firewall and function by accepting requests from the computers on the LAN. After examining these requests and determining their suitability, the proxy servers may then forward these requests to the requested Internet server or reject the request. In this manner, the user's computer never comes directly into contact with Internet servers, but instead communicates only with the proxy server that is communicating with the Internet servers.
The Internet is essentially an open network of computers and LANs. Computers within this open network communicate using multiple protocol layers. Each of the layers addresses a distinct concern of the communication process. As a core protocol of the Internet, Internet Protocol (IP) provides a layer for exchanging data packets between computers connected to the Internet, including providing data encapsulation and header formatting, data routing across the Internet, and fragmentation and reassembly. According to the protocol, data is transmitted by attaching a header with a destination address (IP address) and then transmitting the data packet from one computer to another until the data packet arrives at the desired destination. Along this journey, each computer uses an implementation of the IP Protocol to route the data packet to the next destination until the data packet reaches its final destination. Except for checking the integrity of the IP header, no error detection or recovery tasks are performed. When the data packet arrives at its ultimate destination, any necessary integrity checks are carried out.
Another protocol, the transport protocol, serves as a layer responsible for guaranteeing the integrity of application data. It is, therefore, used only at the original source and final destination of the data. The Internet currently uses two different transport protocols. One protocol, User Datagram Protocol (UDP), does not offer reliable connectionless services. Therefore, in practice it is up to the target application to check data integrity. In contrast, Transmission Control Protocol (TCP), another transport protocol, provides reliable connection-oriented service, which establishes a connection with a remote computer and guarantees data integrity and delivery (or notifies the application in case of an error).
Both TCP and UDP data transmissions provide specific headers in addition to the IP header. In order to simplify forwarding the data packets to a target application, these headers include a port number. The port number identifies an application-level protocol. Port number 80, for instance, is normally used for the World Wide Web protocol (Hypertext Transport Protocol or HTTP), and is therefore called a “well-known port number.” Other well-known port numbers include, for example, port number 25 for SMTP, used to deliver email, and port number 21, used for FTP service. A server makes its services available to the Internet by using a different port number for each service that the server offers. To connect to one of the services, the computer trying to connect must include both the specific IP address of the server and the specific port address used by the server to provide the requested service.
TCP/IP refers to IP Protocol combined with TCP and UDP. Normally, application programs communicate with an available TCP/IP implementation (e.g., Windows “WinSock”) through an Applications Programming Interface (API). For Windows computers, the WinSock API simply encapsulates the TCP/IP architecture. WinSock is patterned after the popular Berkeley Sockets programming model, which is generally considered the de facto standard for TCP/IP networking.
Internet applications generally implement more specialized protocols on top of TCP/IP. For example, a Web browser implements the client portions of the HyperText Transfer Protocol (HTTP) in order to communicate with Web servers. A Web browser also might implement other protocols, such as the older File Transfer Protocol (FTP) for downloading data. Electronic mail applications (i.e., E-mail clients) implement the client portion of the Simple Mail Transfer Protocol (SMTP) and the Post Office Protocol (POP). Still other protocols exist for use in the Internet, many of which are documented in the technical, trade, and patent literature. Firewalls have been developed for installation on desktop computers, whether these computers are attached to a LAN or operated as stand-alone computers. Firewall programs such as ZoneAlarm®, a registered trademark of Zone Labs, Inc., of San Francisco, Calif., or Desk Top Firewall®, a registered trademark of Symantec, Inc., of Cupertino, Calif., are installed on a desktop computer to prevent unknowing or unauthorized inbound or outbound Internet traffic with the desktop computer. When an application program running on the desktop computer attempts to access the Internet to connect to a particular server/port for the first time, the firewall program asks the user to approve or deny the access. Typically, the firewall program allows the user the option of having the firewall program create an Internet access rule based on the user's response. Once the firewall has an Internet access rule in place, usually part of a database of access rules, criteria and their conditions, then the firewall does not have to seek the user's approval each subsequent time that the application program attempts to access the particular server covered by the access rule. Similarly, when a request to access the user's computer is received from an external source over the Internet on a particular port of the user's computer, the firewall program on the computer queries the user to approve or deny access, again offering to store the answer in the form of an access rule of the firewall program if the user so chooses. Therefore, the user is allowed to provide the firewall program with instructions about how to control both Internet traffic that is inbound to the computer and Internet traffic that is outbound from the computer.
Unfortunately, when an application program requests permission to access the Internet through the firewall, a typical firewall program provides the user with insufficient information to make an informed decision. Typically, the firewall will provide only the name of the desktop application program seeking access to the Internet and the name of the remote server and port that the application program wants to access. The firewall is unable to provide the user with a reason why the application program wants to access the Internet or what information will be sent or received. While some reasons may be obvious, for example, an email organizer application requires connecting with the user's SMTP server, other reasons are not so obvious, leaving the user to guess as to whether to permit access or not. Some application programs have abused this lack of user knowledge, by collecting private information without the user's permission, and sending that information to a server without the user's knowledge or permission.
With access to the Internet being such an important and growing need for many people and businesses, computer users want to protect their computers and their privacy and still have access to the Internet. What is needed is a method that informs computer users why their applications and computers need to access the Internet before the access is provided. It would be of further benefit if the method enabled a firewall program to provide the user with enough information to make informed decisions as to whether to allow the Internet access.