Network firewalls have been around for long enough that most IT professionals define them as means for protecting computers on a network by filtering at the network perimeter that which is permitted to enter a local area network (LAN) from an external network. Network firewalls are usually deployed so that they can filter all attempts to reach any of the computers on the internal network. This filtering is usually aft of the IP (Internet Protocol) packet level, though more recent technologies extend this approach to higher levels of the IP network stack. (The IP network stack is the way in which the Internet protocols are layered on top of each other in order to provide a modular design to these protocols. At the bottom is the hardware layer, and at the top is the application layer. Near the bottom are the layers that are responsible for communicating with adjacent computers on the same local network, and for tunneling through to computers and other devices on non-local networks). The trend is toward an integrated network perimeter defense system that scans and filters at all levels of the IP stack. In general concept, intrusion detection systems (IDSs) and similar defensive systems have a similar mandate and approach, but they work at higher levels of the IP network stack.
Generally, network firewalls (sometimes referred to as ‘firewalls’, omitting the word ‘network’) are deployed as hardware appliance implementations, though software implementations running on multi-purpose servers are still common. There is also a class of local software-implemented network firewalls, so-called ‘personal firewalls’, which sit at a computer's network interface to the external world and attempt to prevent malware and undesired network access to the protected computer. These work in a manner quite similar to the perimeter network firewalls, but with differences; such as the responsibility to monitor activities on the local computer, and to detect and filter out certain behavior such as attempts by local software to access the network.
Anti-Virus (A-V) software and local software firewalls have a somewhat similar mission, i.e., to filter out malware before it can do anything, with the assumption that most viruses these days are network borne. In addition, most desktop A-V software still check floppy disks and other removable media when they are first mounted, presumably before the possibly infected contents can do any damage. It is interesting that we still need A-V software for network access protection, since one would assume that adequate firewalls would filter out all of the attempts to penetrate the protected system, including invasion attempts by viruses.
To simplify the concept, most anti-virus software focuses on what happens to files (monitoring changes to file systems, boot sector, etc.), while network firewalls focus on network sockets (ports, addresses, packets, protocols, etc.). Of course, there are other kinds of malicious software (malware) than just viruses, e.g., trojans, backdoors, worms, etc. These can be divided into 2 sets, or rather their functionality can be considered as falling into 2 basic classes: malware that knows how to propagate itself, and malware that does not.
For purposes of this description, all of the firewall, IDS, and similar mechanisms are lumped into the general category of “firewall” since the industry seems to be going this way, with tighter integration among the various layers of perimeter defenses and internal defenses. The architecture of software that protects at the network access point(s) necessarily corresponds to the architecture of the network access protocols, so the firewalls and related mechanisms filter network traffic at the same layers (i.e. they assume the same semantics) as the protected network transport layers. This is to say that at each layer in the network stack there are layer-relevant attack vulnerabilities, and well designed network defenses have defensive elements at each layer. The defenses at each higher layer are designed, in part, to protect against the vulnerabilities of the lower layer(s). Most of the innovation in firewall design over the past 15 years has essentially been to move the analysis of layer n traffic up one level, so as to capture and analyze multiple pieces of layer n traffic, in order to assemble a more complete understanding of whether a set of layer n traffic segments corresponds to an attack using that layer.
As the defenses are gradually moved up the network stack, they must have a greater understanding of the semantics of the protected layer. To take this to its logical conclusion, since the top layer is the application, the outcome of this historical progression will be defenses that know how to protect applications; by understanding the normal state and behavior (i.e. network access, file access, disk access and on-disk presence, and memory access) in and out of the protected applications.
Malware that knows how to propagate itself falls generally into 2 behavior categories, though often malware that can do one, can also do the other. The first is inter-system propagation, such as through email systems, and the second is on-system propagation, such as copying itself into many files on a hard drive.
Roughly speaking, there are 3 kinds of anti-virus (A-V) mechanisms: network filters, file system scanners, and monitors. The network filter has an architecture roughly similar to that of the firewall architecture covered above, since it has the same goal of filtering out penetration attempts; it provides a defense against inter-system propagation The file system scanner looks for on-system viruses in all file accesses (and can be used to sieve through file sets to look for viruses, perhaps comparing against a ‘signature’ database, i.e., an exhaustive set of defined attributes of known virus and similar malware), while the monitor attempts to detect and block on-system viruses from doing virus-like behavior such as loading itself into memory, infecting files and operating system disk blocks, etc.
The monitor portion of an A-V tool set has an interesting challenge—ideally it would attempt to determine whether any running software is doing any virus-like behavior, but new viruses are generally able to outwit most A-V software This vulnerability to successful infections from new viruses is part of the “Zero Day” risk, There have been well documented successful Zero Day attacks from all sorts of malware, including viruses; details are available on the Internet.
With respect to the current situation of PC security defenses, although the architectures described above are interesting from a system defense perspective, it is interesting to note that even with the latest system defenses, successful malware attacks and infections are on the rise, and that installing defensive software on an infected system will not eliminate the current infection.
New, and therefore unprotected, PCs are infected within a few minutes of being put on the net, and they have to be put on the net in order to download and install the latest security defense updates and operating system security-related patches. Moreover, any PC that has been offline for several weeks is similarly vulnerable, during the time period from when it is connected to the net until the latest operating system (O/S) patches, virus signatures, and firewall updates are installed and active.
In addition, even machines that are Constantly connected, with automatic download & updates, are at risk from so-called Zero Day attacks This is because it takes time for the security patches and updates to be created in response to new malware and newly discovered vulnerabilities, and all PCs on the net during this intervening period are vulnerable to these new malware attacks. And even later, when there are available’ patches and updates, with automatically scheduled downloads & updates it often takes a few days for all at risk PCs to get the latest versions.
And to make this situation even more serious, there are new threats daily. Not almost daily, as it was only a few years or so ago, but with at least one new serious threat each day. Many experts expect this situation to become worse, with new malware attack threats coming even more frequently, perhaps hourly.
As a result, one can not depend on the current generation of network and PC defensive mechanisms to prevent the infection of PCs. This situation puts at risk our data and other assets, and therefore our willingness to use the Internet.
In order to provide a secure computing environment, it is necessary to defeat malware propagation. This alone will not provide a secure computing environment, but it is a necessary element. Older security technologies are still necessary, but they are not sufficient to prevent system penetration (unauthorized access), which is why there are so many successful penetrations.
This is a significant problem. Successful penetration may leave no tracks or evidence, or a rootkit (i.e. trojan or backdoor program) may use active camouflage to prevent detection. And successful penetration leads to the installation of the virus, rootkit, or spyware, as well as to successful theft and/or damage to data.
Each day there are new attacks, new exploits, and newly discovered vulnerabilities. It is thus probably impossible to prevent zero day (brand new) attacks from successful penetration of any network connected computer systems. Given the expectation that at any given moment a computer may be infected with some variety of malware, in order to protect the confidentiality and integrity of data, it is clear that something new is needed.
The philosophy of our security model is based on the realization that locking a device down to an authorized configuration is essential for operational and information assurance—assurance that the device is performing it's expected role, not leaking information, and not permitting an attacker to inject bad information. Locking down a system in this way is very difficult or impossible using the tools that existed before the invention of the F+ storage firewall.
The security model we promote is to establish a level of assurance that the device is performing it's mission as specified, with high degrees of integrity, availability, and confidentiality. Ours may not be the only security technologies on that device, but they will establish and uphold (attempt to assure or maintain) the baseline authorized configurations that enable the device mission.
Other firms will advance all sorts of schemes to monitor the mission processor for malware and other unauthorized software, and unauthorized behavior, where their schemes inject various technologies into the software environment, likely causing just the sort of chaotic behavior they are intended to prevent, as well as device performance issues, etc. These include software reference monitors hacked into system software kernels, application level anti-virus scanners, etc. We will take the high road—focusing on better ways to protect devices and the system they are part of, with solutions that can be verified and validated in isolation before we bolt them together.
Accomplishing this goal requires, among other things, whitelist access control and filtering mechanisms (storage firewalls) on each device's storage interface(s), a flexible monitoring scheme and supporting technology on the device's interface firewalls, a configuration database and supporting technology on the server (or in the “cloud”), and a flexible and intelligent communication path between them. If it is not possible to establish a server communication link from the device's storage firewall, then this firewall has to be able to operate successfully in a standalone mode with appropriate settings and default behaviors to deal with unexpected conditions. If an anomaly (unexpected device behavior) is detected by the device itself, or one of its firewalls, or analytics on the server, then appropriate action is taken, which may include refreshing the device's internal software. This means that the storage firewall can run analysis on disk access attempts and, when judged necessary, refresh the device's mission processor by rebooting from the protected disk version of the system and mission software.