1. Field of the Invention
The present invention relates to firewall systems and methods that prevent unauthorized users on a computer network from accessing a particular computer that is part of that computer network.
2. Description of the Prior Art
As computers become more commonplace, more and more computer users find themselves using computer networks to access information. Computer networks can be local area networks (LANs) used by a limited number of user, or open networks, such as the World-Wide Web that are used by an unlimited number of users.
When a particular computer is joined to a computer network, that computer can access data contained with other computers that are also joined to that network. However, the flow of data can be recognized in two ways, and it is possible for data to be sent to, or retrieved from, that particular computer without the knowledge of the computer's operator. As such, private data contained on a computer can be accessed by unauthorized users. Furthermore, harmful data, in various forms, can be transmitted to computers.
Computer users that access data from or transfer data to unauthorized computers are commonly referred to as hackers. Protecting personal computers and network computers from hackers is a large business. Hundreds of systems are commercially available that are designed to prevent hackers from accessing network computers. Generally, the name given to a system that protects a computer from hackers is a “firewall” system.
The prior art is replete with firewall systems. Most firewall systems are software based and limit access to computers to authorized users who know the passwords or other encrypted access procedures. However, such systems are vulnerable to hackers who learn or decipher the proper access protocols.
More effective firewalls are created by mixing software with hardware so that a computer can be physically isolated from a network. If a computer is physically isolated from a network, it is not possible for a hacker of the computer network to retrieve data from or send data to the isolated computer. However, when a computer is isolated from a computer network, that computer also cannot send or receive desired data from the computer network. Such isolation firewalls are therefore impractical for most applications of computers that exchange data on a network.
In an attempt to make isolation firewalls more practical, firewall systems have been developed that temporarily isolate a computer from a computer network. Such prior art isolation firewall systems are exemplified by U.S. Patent Application Publication 2001/0054159 to Hoshino, entitled Switch Connection Control Apparatus For Channels. In the Hoshino publication, a firewall system is disclosed where incoming data is temporarily held in an isolated buffer, where it is scanned. Once the data is scanned and is determined as being authorized, the buffer is coupled to the processor of the computer via a physical switch. The same isolated buffer is also used to hold and scan outgoing data. As such, outgoing data is stored in the buffer and is sent to an outgoing modem only after the outgoing data has been scanned and has been determined to be authorized.
A single switch is used to connect the buffer between the computer and the outgoing lines. When the switch is in a first position, data can flow into the buffer from the computer. When the state of the switch is changed, data can flow into the buffer from the computer network.
The obvious drawbacks of a system, such as that shown in Hoshino publication, are that incoming and outgoing data cannot be processed simultaneously. Rather, all outgoing and incoming data is batched. The buffer can hold either incoming data or outgoing data, but not both. Furthermore, both incoming data and outgoing data are limited by buffer size. If a file is being downloaded that is larger than the buffer allotment, such a file cannot be successfully loaded using a Hoshino-like system. The use of a buffer also doubles download time. A computer user must now wait for data files to download to the buffer and be scanned. The user must then wait again for the buffer to download the data files to the computer.
A need therefore exists for a firewall system that selectively isolates a computer from a computer network, yet allows for an unlimited amount of data to be exchanged with the network when authorized. A need also exists for such a firewall system that can simultaneously send and receive data without having batch transmissions in a buffer. Such needs are provided for by the present invention as described and claimed below.