The invention relates generally to computer networks, and deals more particularly with a technique to graphically present data flows, vulnerabilities and misconfigurations in a firewall.
To provide security, there are separate networks with security controls between each network. This enables an enterprise network to house confidential data separately from publicly available data, to separate financial networks from service networks, etc. All of these design considerations provide confidentiality, integrity and availability. Because external entities are not under complete control of the enterprise and are open to unknown users who may not be trusted, these networks are not considered trusted. Typically, an enterprise intranet is considered known and trusted because it houses internal communications within the enterprise. While this intranet communicates with an external network environment either to transmit or receive data communications, the intranet generally will not need to receive inbound communications directly from an untrusted networks. An extranet comprises known but untrusted network environments, such as “Demilitarized Zones (“DMZ”),” “Service networks” and “Business to Business (B2B) interconnections.” These networks are semi-secure because the owners and users are generally known but not trusted. There are also external unknown and untrusted networks such as the Open Internet. These are the riskiest types of networks with which to communicate.
The security controls between networks is often provided by a firewall. A firewall is a network device that can protect a variety of networks by inspecting, filtering and blocking data which flows to and through the network. The firewall can be installed between known and trusted networks, known and untrusted networks, and unknown and untrusted networks. A firewall is comprised of a routing engine and filters to screen out unwanted data communications. The firewall is responsible for enforcing a security policy for incoming and outgoing communications. The security policy may define the types of networks the known network is permitted to communicate and what protocols are permitted for the communications. For example, the firewall may only permit communications between the intranet and the enterprise's “DMZ”, which is located between a trusted internal and untrusted and unknown external network. An enterprise's DMZ is comprised of servers and other related devices that are supplied and managed by the enterprise, but generally do not contain unencrytped sensitive data. Therefore, if the servers in the enterprise's DMZ are corrupted by a communication from another, untrusted network, the damage is limited. Because the management of these DMZ servers is performed by the enterprise itself, a measure of security exists in the enterprise DMZ which does not exist in the Open Internet. There are cases when a network does not have a firewall in which case it connects directly to other networks through a router.
Not only can a firewall deny traffic to and from networks, it can more granularly limit traffic between networks by limiting which hosts have access to communicate to or from network entities. These hosts are considered sophisticated enough to avoid receipt of damaging messages. These hosts are listed in a firewall ruleset. The firewall checks the ruleset for host identifiers (ex. IP Address or hostname) before permitting the communications. Audits of these rulesets are necessary to understand which hosts have outbound connectivity and determine if any of the rules violate a pre-specified corporate security mandate.
A third way a firewall can limit traffic between networks is by communication protocols and ports. The most common communication protocols are TCP, UDP and ICMP. Each of these protocols includes usage criteria such as the range of ports used by TCP and UDP for certain types of requests. The TCP and UDP ports indicate which applications in the recipient device should provide the requested services. It is desirable in some cases to limit the range of ports for certain types of communications. The limitation on the range of ports facilitates the handling of the requested service. For example, many programs are written to open any available TCP or UDP port. This makes the identification of the application using such a port difficult. In some such cases it is possible to restrict the range of ports available to these applications to assist in identifying which application is using the port. It may be preferable for some networks to not allow communication using an application requiring an unlimited range of TCP or UDP ports.
The protocols also may specify the types of ICMP which are permitted. Example types are Echo Request (which sends a ping), Echo Reply (which responds to a ping) and Host Unreachable. Some networks may not wish to accept certain types of ICMP messages. For example, some destination networks deny Echo Request messages from untrusted networks because they are potential denial of service attacks.
Some protocols are more controllable than others. For example, TCP provides “handshaking” for every communication whereas UDP does not. So, TCP is more controllable and trustworthy than UDP. Therefore, some networks may not want to accept UDP communications. It was known for an administrator to check whether the firewall permits incoming UDP communications, and if so, report a security violation. These checks were performed by reviewing the firewall access control lists or by sniffing traffic.
The security policy of a firewall also may prohibit certain message flows, such as those involving certain versions of Telnet and the Berkely R commands (rshell, rlogin) because these protocols have known security holes. It was known for a systems administrator to check if the firewall permits such message flows, and if so, report a security violation. These checks were performed by reviewing the firewall access control lists or by sniffing traffic.
The vast configurability of firewall rules equates to very complex rulesets with significant potential for mistakes. Filter rules should be verified regularly to ensure they conform to the enterprise security policy, are configured properly and function as intended. Traditionally, this is completed manually by a systems administrator or a person outside of the day-to-day operations of the firewall such as a security administrator. The systems administrator or security administrator reviews each firewall rule to confirm the network type of each IP address and ensure that the data flows configured in the firewall are acceptable according to the enterprise security policy. While this technique is effective, it requires tedious, human review of the configuration information from each network with which communication is desired, and there can be many such networks. Routers and firewalls of networks are often changed, and this may require the systems administrator or security administrator to repeat the foregoing investigation.
A Solsoft computer program (by Solsoft Inc.) was known to display a diagram of networks connected to each other, and firewalls within the networks. This program includes an option to color code each of the networks. This option was commercially used (more than one year ago) to color code each network based on the security level of the network. This known color coding was blue for a most secure intranet, green for protected DMZ or Service network, yellow for a DMZ or Service network and red for an insecure network such as the Open Internet.
EP 1119151A2 to Alain et al. disclose a computer program which displays a graphical representation of a network; the data flows of the network can be determined through a series of queries.
An object of the present invention is to improve the process of reporting data flows, data flow vulnerabilities, data flow misconfigurations and improper firewall settings.