1. Field of the Invention
The invention relates to the field of computer networks. More specifically, the invention relates to computer network security.
2. Background of the Invention
FIG. 1 (Prior Art) is a diagram illustrating a proxy firewall analyzing packets. In FIG. 1, an external host 105 establishes a connection 104 to a proxy firewall 103. The proxy firewall 103 establishes a connection 102 to a protected host 101 on behalf of the external host 105. The proxy firewall 103 communicates with the protected host 101 on behalf of the external host 105. The proxy firewall 103 also communicates with the external host 105 on behalf of the protected host 101. At a time 1, the external host 105 transmits a packet A to the proxy firewall 103. The proxy firewall 103 receives the packet A and analyzes the packet A at a time 2. The proxy firewall 103 may analyze the packet's payload, or both the header and the payload. As a proxy, the proxy firewall 103 acts as the protected host 101 and analyzes the packet As payload at the application level. Hence, the proxy firewall 103 must support the application level protocols relevant to packet A. If packet A is determined to be allowed, then at a time 3.1, the packet A is reencapsulated and transmitted to the protected host 101. If the packet A is determined to be disallowed, then at a time 3.2 the packet A is discarded.
Although the proxy firewall is able to analyze the header and the payload of the packet, this technique of analysis is inefficient. In particular, the proxy firewall introduces a great amount of latency with the traffic since the proxy firewall is communicating on behalf of the external host and the protected host. Packets are slowed since they are traversing two connections. The latency introduced by the two connections provides the proxy firewall 103 the necessary time to analyze the payload. In addition, to perform analysis of the payload, the proxy firewall 103 must support higher level protocols in order to decapsulate, analyze, and re-encapsulate the packet. Supporting the higher level protocols further increases latency and increases the cost and complexity of the firewall.
FIG. 2 (Prior Art) is a diagram illustrating packet analysis with a sniffer. In FIG. 2, an external host 205 establishes a connection 202 to a protected host 201 through a firewall 203. At a time 1, a packet A is transmitted from the external host 205. At a time 2, the firewall 203 analyzed the packet A. A sniffer 207 sniffs packets that are transmitted from the external host 205 to the firewall 203. Although the sniffer 207 is illustrated as sniffing packets transmitted from the external host 205 to the firewall 203, the sniffer 207 can also sniff packets transmitted from the firewall 203 to the protected host 201. At a time 2, the sniffer 207 sniffs the packet A and analyzes the payload of the packet A. As with a proxy firewall, the sniffer 207 must support higher level protocols relevant to the packet A in order to analyze the payload of the packet A. If the packet A is an allowed packet, then the sniffer 207 simply discards the packet A. If the packet A is a disallowed packet, then the sniffer 207 transmits an alarm 209. The alarm 209 may be transmitted to the firewall 203, an administrative work station, the protected host 201, etc.
In addition to the protection offered by the sniffer 207, the firewall 203 analyzes packets traversing the connection 202. Whether the firewall 203 implements packet filtering or stateful packet inspection, the firewall 203 only analyzes the header of the packet A. If the firewall 203 determines that the packet A is allowed, then at a time 3 the firewall 203 forwards the packet A to the protected host 201. If the firewall 203 determines that the packet A is disallowed, then the packet A is discarded. Unfortunately, the connection 202 remains open even though the packet A is determined to be disallowed. Hence, additional packets can still traverse the connection 202. Although the firewall 203 discards disallowed packets, disallowed packets may continue to be transmitted on the connection 202. As long as the connection 202 remains open, the risk of the firewall 203 being penetrated increases.
Although the sniffer technique enables analysis of packet headers and payloads without impacting transmission time by performing packet payload analysis in the sniffer 207 instead of the firewall 203, the packet payload analysis provided by the sniffer 207 only provides notification and does not prevent infection. By the time the sniffer detects that a packet is disallowed, the packet has already been transmitted to its destination. The sniffer technique provides notification of a threatening connection, but does not block disallowed packets.