1. Field
This application relates to firewalls and, more particularly, to a method and apparatus for enabling enhanced control of traffic propagation through a network firewall.
2. Description of the Related Art
Data communication networks may include various computers, servers, nodes, routers, switches, hubs, proxies, and other devices coupled to and configured to pass data to one another. These devices will be referred to herein as “network elements,” and may provide a variety of network resources on the network. Conventionally, data has been communicated through data communication networks by passing protocol data units (such as packets, cells, frames, or segments) between the network elements over communication links on the network. A particular protocol data unit may be handled by multiple network elements and cross multiple communication links as it travels between its source and its destination over the network.
Many applications may be run over the network, and a network operator may wish to provide differential access to the applications based on the type of application, who is running the application, and numerous other factors. This may be accomplished on a personal computer by causing a dedicated firewall to be set up, to allow traffic to be controlled on a per-application basis such that traffic from each application may be monitored to safeguard the computer. Unfortunately, personal firewalls must be installed and administered on every machine, which makes it expensive and time consuming to implement security in this manner on a large network, especially as the network grows and the number of users increases. Additionally, personal firewalls may be alterable by the users or completely eliminated, thus possibly negating the desired security and control to be provided by the firewalls. Finally, personal firewalls are only capable of identifying applications running on the local machine—the type or identity of an application attempting to connect to the local machine from the network can only be inferred by the port(s) or protocol(s) it is using. Thus, personal firewalls may not provide the level of control desired where the firewalls are to be used to control access to network applications.
To address these concerns, it is common to implement one or more network firewalls to secure the network, portions of the network, or application on the network. Network firewalls are able to implement network policy by looking at information available in the header portion of packets or other protocol data units arriving at the firewall. This information may be used to filter traffic, for example based on the destination IP address which specifies where the packet is going, the origination IP address which specifies where the packet originated, and the protocols that are being used to transport the packet. Additionally, firewalls generally are able to filter based on the port over which the packet is to be delivered, which gives some indication to the firewall as to the application associated with the packet, since applications generally use particular ports or ranges of ports to transport traffic on the network.
While network firewalls work well for particular classes of traffic and for certain types of applications, many applications dynamically select communication ports from a range of available ports. To ensure traffic for the application is able to get through the firewall, it is necessary for a traditional firewall to open all ports within the range, even though legitimate traffic may only be using one or a subset of the total number of open ports. This presents a possible security risk since unintended traffic may be allowed to get past the firewall. Other instances exist as well where current network firewall implementations are unable to inspect traffic closely enough or are unable to know sufficiently which traffic should be allowed to be transported on the network. An example of this is the use of HTTP tunneling—a technology where another protocol is carried over HTTP in order to penetrate a firewall configured to allow HTTP traffic. Accordingly, it would be advantageous to have a firewall that is able to exert better control over network traffic.