1. Field of the Invention
The present invention relates generally to an improved firewall system and method with particular application to dynamic computing environments.
2. Background of the Invention
Whereas the determination of a publication, technology, or product as prior art relative to the present invention requires analysis of certain dates and events not disclosed herein, no statements made within this Background of the Invention shall constitute an admission by the Applicants of prior art unless the term “Prior Art” is specifically stated. Otherwise, all statements provided within this Background section are “other information” related to or useful for understanding the invention.
Firewall products, which are often distributed as software application programs, can be considered to fall into one of two broad categories: corporate network firewalls and personal firewalls. Corporate network firewalls, also referred to as sub-net firewalls, monitor traffic at a network bottleneck, such as at a point where a corporate intranet interfaces to the Internet. At this position, all of the computers on the corporate intranet can be protected from threats outside the intranet originating from the Internet. This is a cost effective and efficient solution for corporations, whereas firewall products must only be installed and administered at the one or more key networking interfaces between the intranet(s) and the Internet. Addition of a wireless network portion to the corporate intranet can pose a “backdoor” vulnerability to the intranet, whereas any computer with a wireless network interface which connects to and accesses the intranet may also act as a wireless bridge to another wireless network, such as a neighboring corporate network or a hacker's wireless computer.
The second broad category of firewall product is a “personal” firewall. These products are provided by companies such as Symantec (e.g. Norton), McAfee, Computer Associates, and Kerio. These firewalls run directly on a computer, such as a computer with a wireless network interface. Some are distributed or provided as a separate application program, while others, such as Microsoft's Windows™ firewall are embedded in an operating system. Whereas the firewall protects the computer from threats coming from its wireless or wired network interfaces, it's configuration, preferences, and performance is limited and may not match or be equal to that of a corporate network firewall. Further, many companies find it cost prohibitive to outfit and administer every computer, or every mobile computer, in their corporation with a personal firewall installed directly on each computer.
But, current personal computer firewall products lack features needed to securely access trusted resources of another computer in a dynamic computing environment, such as an environment containing mobile personal computers (“PC”).
Thus far, many corporations require by policy personal firewall software operate on employee's computers to prevent various software security threats such as “trojan horse” programs, viruses, and the like, from spreading between computers within the corporation. It is common for one mobile PC to often require access to another computer for a variety of reasons, including backing up of software, mirroring, remote control software, input device sharing, etc. Additionally, the mobile computers need access to workstations in a variety of locations, including workstations physically near the mobile PC (e.g. computers on the same subnet), at home using a VPN, or offices around the world.
Present personal firewall technology has not yet securely solved these access problems related to inclusion of a mobile device in a computing environment. Current personal firewall software allows users to restrict network access to trusted computer resources in several methods. For example, entire networks can be either trusted or untrusted. Additionally, specific ports and hosts can be trusted by either Internet Protocol (“IP”) or host name.
Unfortunately, in a dynamic and mobile computing environment where mobile computers can present themselves into or onto a trusted network for a limited period of time, then leave the network, returning at some time later again, the IP address of a mobile PC often changes.
Another method employed by some personal firewalls is to establish trust relationships by Media Access Control (“MAC”) address. However, MAC addresses are not transferred across subnets, thereby limiting this method's use to computers which are always located on the same subnet.
Some current personal firewalls can be set up to trust an entire range of IPs, but trusting more IPs than necessary is also security risk. Technologies such as Dynamic Host Configuration Protocol (“DHCP”) attempt to provide a more convenient, centralized point of administration of IP addresses, with some provision of automatic assignment of IP addresses, and automatic expiration and re-use of IP addresses. Through configuration of short address “lease” times, IP addresses can be more efficiently utilized, and some security enhancements are realized, but still the networked resources remain vulnerable to certain modes of threat.
Still another method to enable communication between hosts is to “tunnel” that communication via a Virtual Private Network (“VPN”), such as open VPN, or through Secure Shell (“SSH”). There are also shortcomings of each of these approaches. First, VPN servers or tunneling SSH sessions are difficult to setup for the typical computer user. Second, additional work and expertise is required to maintain the VPN or SSH server. And, the user must manually re-establish the VPN or SSH tunnel prior to accessing resources on the target computer or setup programs such as “autossh” to re-establish the connection automatically. Further, not all application programs are able to fully function within either a VPN or SSH tunnel.