1. Field of the Invention
The present invention relates generally to computer systems. More particularly, the present invention relates to computer security.
2. Description of Related Art
Recent advances in computer and networking technology have resulted in increasing interest in the Internet resulting in an increase in the number of private intranets being deployed. An important concern in securing private intranets is preventing unauthorized access via Internet connections. One method of preventing unauthorized access is through the use of a fire wall. In general, a fire wall is a gate keeping computer that is connected between the Internet and the private intranet. The firewall protects the private intranet by filtering traffic to and from the Internet based on network policies. Typically, the fire wall provides a single check point where network traffic can be audited. Most firewalls can be classified as either a packet filtering firewall or a proxy based application gateway firewall.
Packet filtering fire walls ("packet filters") are typically implemented in routers. The routers use tables to indicate communications protocols allowed into and out of a particular network. Such packet filters drop, reject or permit packets of information based on destination, address, source address and application port numbers. Packet filters do not maintain context or understand the applications they are dealing with. They make decisions purely by looking at Internet Protocol ("IP") headers and interpreting the rules they are programmed to follow. The reliance of packet filters on header information allows an unauthorized user to mimic the IP addresses of trusted machines and thereby gain unauthorized access. Packet filtering fire walls are thus susceptible to security breaches.
A second type of fire wall, a proxy based application gateway fire wall (also known as an application fire wall or a proxy fire wall) runs programs (called proxies or proxy software) that secure information flowing through a gateway. All Internet traffic is funneled through a gateway, controlled by the proxy software. The proxy software transfers the incoming information to an internal network based on the access rights of individual users. Because proxy software is typically an application program, it makes its decision based on context, authorization and authentication rules and does not depend on the IP address alone. Typically, proxy fire walls operate at the highest level of the protocol stack. Thus, they allow a private intranet systems analyst to implement security policies based on a wide range of defensive measures.
As will be seen, the present invention describes an improved method for implementing a fire wall.