1. Field of the Invention
This invention pertains generally to firewall systems. More particularly, the invention is a firewall system and method which optimizes the performance of the firewall process by reducing overhead associated with ACL verification and firewall application-level authorization.
2. The Prior Art
Firewalls are known in the art. In general, a firewall is a combination of hardware and software which limits the exposure of a computer or group of computers to an attack from outside. The most common use of a firewall is on a local area network (LAN) connected to the global information network, known as the Internet. Without a firewall, anyone on the Internet could theoretically connect to the corporate LAN and retrieve and/or transmit information to computers on the LAN. A firewall provides services which enforce a boundary between two or more networks. In the above example, a firewall would enforce a boundary between the LAN and the Internet.
A traditional firewall is implemented through a combination of hosts and routers. A router can control traffic at the packet level, allowing or denying packets based on the source/destination address or the source/destination port number. A host (or application gateway), on the other hand, can control traffic at the application level, allowing control based on a more detailed and protocol-dependent examination of the traffic. Often, a router can be configured to provide firewall capability.
FIG. 1 depicts a block diagram of a firewall (or router with firewall capbilities) device 10 according to the prior art. Firewall 10 is shown having interface 1 (designated as 12a) and interface 2 (designated as 12b), interface 1 (12a) connected to a network 1 (14a) and interface 2 (12b) connected to network 2 (14b). As a data packet is communicated from network 1 (14a) to network 2 (14b) or from network 2 (14b) to network 1 (14a), the data is intercepted and is authorized or denied data communication based on a plurality of configuration settings as is well known in the art.
The firewall device 10 includes a plurality of services to carry out the operation of authorizing data traffic through the device 10. More particularly, the firewall device 10 includes a switching process component (or router) 16, a packet filtering component 18, and a firewall services component 20. Switching process 16 handles traffic connections associated with interfaces 12a, 12b, and routes data according to designated addresses.
The packet filtering component 18 filters data packets based on a set of rules defined in an associated Access Control List, designated ACL 22. The ACL 22 contains static as well as dynamic settings. Static settings are normally provided by a user in a configuration file. For example, the ACL 22 may define a set of IP (Internet Protocol) addresses that are permitted to communicate through firewall device 10. Dynamic settings are normally provided by the firewall services to enable certain communications, including return acknowledgement signals, for example.
The firewall services 20 provide authentication on an application level, providing among other things, protocol dependent inspection and authentication. As noted above, the firewall service 20 also configures the ACL 22 to allow certain communications to pass through the device 10.
The following example illustrates the operation of a prior art firewall device. FIG. 2 shows the structure of a typical data packet 28 transmitted through the firewall device. As is known, the data packet 28 will include a header portion 30, and a data payload component 32. The header portion 30 includes among other things, address information (such as the destination address, for example).
The data payload component 32 includes additional information such as User ID and protocol information, among other things.
When a data packet is communicated from network 14a to network 14b, for example, the data packet enters interface 12a from network 14a. The packet filtering component 18 intercepts the data packet at point 24 and determines whether the data packet is authorized to enter the router 10 via the interface 12a based on the set of rules defined in the ACL 22. Typically, the header is inspected to determine source and/or destination address information. If so authorized, the data packet is communicated back to point 24 and to the switching process 16 for routing to the appropriate interface.
The switching process 16 receives the data packet and “diverts” the data packet to the firewall services 20 for inspection and authorization. As noted above, the firewall services component 20 authenticates the data packet based on a set of protocol-dependent rules. In this way, the payload component 32 of the data packet is typically inspected to see if communication is authorized. If so authorized by the firewall services 20, the data packet is sent back to the switching process 16, which then communicates the data packet to the interface 12b via point 26. As noted above, the firewall services component 20 may also configure one or more settings within the ACL 22 to allow certain communications (return acknowledgments, for example) to pass through the router 10.
At point 26, the data packet communicated by the switching process 16 is again intercepted by the packet filtering component 18 to determine whether the data packet is authorized to exit interface 12b based of the set of rules defined in the ACL 22. If so authorized, the switching process 16 transmits the data packet to the interface 12b, via point 26, which then communicates the data packet to network 14b where the packet is further processed.
As described above, the prior art method of firewall processing involves a plurality of security authorization steps. For each data packet that is communicated through the firewall device, the authorization steps described above are carried out. In the above example firewall 10 having 2 ports 14a, 14b, two ACL authentication processes are carried out by the packet filtering component 18, one for each port. Additionally, the switching process 16 diverts the packet to the firewall services 20 for application-level authentication.
While providing security, there are performance penalties associated with the above described authorization processes for a firewall. For example, because the switching process 16 operates in a different address space from the firewall services component 20, the router device 10 suffers the overhead associated with “context switching” when a data packet is “diverted” from the switching process 16 to the firewall services 20 for inspection and authorization.
Prior art firewalls “divert” each data packet handled by switching process 16. However, since data communication transactions often involve the transfer of a plurality of data packets (rather than a single packet), the need for authorizing (and therefore diverting) each and every packet may be unnecessary, once the first in a series of associated data packets has been authorized. This is particularly evident in a data transfer, as opposed to a control transfer.
For example, an FTP transfer of a file may involve the transfer or a plurality of packets. If the first packet is authorized between a source and a destination, then the remaining associated packets would also be authorized. However, under present firewall solutions, each of the remaining packets would be diverted and authorized, and thus the overhead associated with context-switching is realized for each of the associated packets for the duration of the file transfer.
Also as noted above, the packet filtering component 18 carries out authorization based on the rules provided in the corresponding ACL 22. This authorization is carried out for each packet processed by the packet filtering component 18. As noted above, the packet is checked upon entering a port and upon exiting a port, thus incurring additional performance penalties.
Accordingly, there is a need for a method and apparatus which provides firewall security processing which minimizes the overhead with context switching and optimizes overall firewall performance. The present invention satisfies these needs, as well as others, and generally overcomes the deficiencies found in the background art.