1. Field of Invention
This invention relates to the field of information security, and more specifically to network firewall security protocols.
2. Description of the Related Art
Increasingly, software components perform functions previously provided by hardware components. At a basic level, a firewall performs processing functions which enable authorized messages (i.e., data) to be transferred back and forth between systems in an efficient and secure manner. In theory, unauthorized users will not be able to access and communicate with computers on the protected network.
Typical firewalls known in the art require a trained network administrator to configure a firewall by creating a list of “ports.” A port is code which operates as set of interface instructions for other computers to connect to the network. The code that comprises a port is written to accept authorized communication packets, and to direct the packets based on the information in the header.
Most firewalls ports allow packets generated by external computers to pass connections when the communications conform to specific types of services (e.g. HTTP/HTTPS/Web, DNS, NTP, SMTP/IMAP/IMAPS/POP, RDP, SSH, etc). Currently, skilled administrators configure the ports to recognize packet information providing credentials from a select group of users, allowing them to access services that the users are permitted to access. A port that accepts incoming packets is referred to as an “open” port.
One of the most significant problems known in the art of network security is the vulnerability of “open” ports to malicious code that emulates authentic code or which bombards the ports with communications that impede the firewall from the orderly processing of communications packets. Malicious code can also enter a firewall and disable the device itself.
Currently, firewalls known in the art do not prevent hackers from both brute force attacks (trying to guess credentials) and from exploiting known deficiencies. As mobile computing becomes widespread this problem is exacerbated. Users in mobile networks attach their computers to untrusted public networks (e.g., via public WiFi). In mobile networks, firewall exceptions (e.g., allow and do-not-allow policies) for services and applications that are enabled on the user's home networks (e.g., file sharing) may remain enabled when these users connect to unprotected public networks (such as a coffee shop or airport WiFi).
Attempts have been made in the art to develop technologies which can enable firewalls to receive necessary information packets from external computers without the need to leave ports open to “listen” for communications. “Port knocking” is one technology known in the art which has been developed to limit the vulnerability of open ports. In theory, port knocking allows all ports in a firewall to be closed until connection attempts are made on closed parts is a specific sequence. The connection attempts operate like the coded sequence of a combination lock because each port has a number associated with it. Accessing the correct port numbers in the correct sequence opens the firewall ports.
The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed.
Despite the promise of port knocking technology as a means of securing firewalls against brute force and denial of service attacks, there are significant obstacles for implementing this technology to create viable security options in a business. In particular, firewalls must be deployed across a wide range of network platforms.
There is an unmet need for standardized, easily deployed firewall technology that can be made commercially available at a reasonable cost and effectively deployed regardless of the network protocol utilized by particular devices or networks in communication through the firewall.
There is an unmet need for a firewall that is capable of responding to changes in a network environment to dynamically modify firewall exceptions as needed within the particular environment.
There is a further unmet need for a firewall that can receive user-generated messages in packets without the need to first “open” the firewall to receive the packets.