As computing power and computer memory have been miniaturized and become more affordable, computer networks have largely displaced mainframe and minicomputer technology as a business automation platform. Public information networks have also sprung up around the world. The largest and most pervasive public network is the Internet which was created in the late 1960s as a United States Department of National Defence project to build a network connecting various military sites and educational research centers. While the interconnection of private networks with public networks such as the Internet may provide business opportunities and access to vital information, connecting a private, secure network to a public network is hazardous unless some form of secure gateway is installed between the two networks to serve as a "firewall".
Public networks, as their name implies, are accessible to anyone with compatible hardware and software. Consequently, public networks attract vandals as well as amateurs and professionals involved in industrial espionage. Private networks invariably store trade secret and confidential information which must be protected from exposure to unauthorized examination, contamination, destruction or retrieval. Any private network connected to a public network is vulnerable to such hazards unless the networks are interconnected through a secure gateway which prevents unauthorized access from the public network.
A great deal of effort has been dedicated to developing secure gateways for internetwork connection. As noted above, these gateways are commonly referred to as firewalls. The term firewall is broadly used to describe practically any internetwork security scheme. Firewalls are generally developed on one or more of three models: the screening router, the bastion host and the dual homed gateway. These models may be briefly defined as:
Screening router--Screening routers typically have the ability to block traffic between networks or specific hosts on an IP port level. Screening routers can be specially configured commercial routers or host-based packet filtering applications. Screening routers are a basic component of many firewalls. Some firewalls consist exclusively of a screening router or a packet filter.
Bastion host--Bastion hosts are host systems positioned between a private network and a public network which have particular attention paid to their security. They may run special security applications, undergo regular audits, and include special features such as "sucker traps" to detect and identify would-be intruders.
Dual homed gateway--A dual homed gateway is a bastion host with a modified operating system in which TCP/IP forwarding has been disabled. Therefore, direct traffic between the private network and the public network is blocked. The private network can communicate with the gateway, as can the public network but the private network cannot communicate with the public network except via the public side of the dual homed gateway. Application level or "proxy" gateways are often used to enhance the functionality of dual homed gateways. Much of the protocol level software on networks operates in a store-and-forward mode. Prior art application level gateways are service-specific store-and-forward programs which commonly operate in user mode instead of at the protocol level.
All of the internetwork gateways known to date suffer from certain disadvantages which compromise their security or inconvenience users. Most known internetwork gateways are also potentially susceptible to intruders if improperly used or configured.
The only firewall for many network installations is a screening router which is positioned between the private network and the public network. The screening router is designed to permit communications only through certain predesignated ports. Many network services are offered on specific designated ports. Generally, screening routers are configured to permit all outbound traffic from the private network while restricting inbound traffic to those certain specific ports allocated to certain network services. A principal weakness of screening routers is that the router's administrative password may be compromised. If an intruder is capable of communicating directly with the router, the intruder can very easily open the entire private network to attack by disabling the screening algorithms. Unfortunately, this is extremely difficult to detect and may go completely unnoted until serious damage has resulted. Screening routers are also subject to permitting vandalism by "piggybacked" protocols which permit intruders to achieve a higher level of access than was intended to be permitted.
Packet filters are a more sophisticated type of screening that operates on the protocol level. Packet filters are generally host-based applications which permit certain communications over predefined ports. Packet filters may have associated rule bases and operate on the principle of "that which is not expressly permitted is prohibited". Public networks such as the Internet operate in TCP/IP protocol. A UNIX operating system running TCP/IP has a capacity of 64K communication ports. It is therefore generally considered impractical to construct and maintain a comprehensive rule base for a packet filter application. Besides, packet filtering is implemented using the simple Internet Protocol (IP) packet filtering mechanisms which are not regarded as being robust enough to permit the implementation of an adequate level of protection. The principal drawback of packet filters is that they are executed by the operating system kernel and there is a limited capacity at that level to perform screening functions. As noted above, protocols may be piggybacked to either bypass or fool packet filtering mechanisms and may permit skilled intruders to access the private network.
The dual homed gateway is an often used and easy to implement alternative. Since the dual homed gateway does not forward TCP/IP traffic, it completely blocks communication between the public and private networks. The ease of use of a dual homed gateway depends upon how it is implemented. It may be implemented by giving users logins to the public side of the gateway host, or by providing application gateways for specific services. If users are permitted to log on to the gateway, the firewall security is seriously weakened because the risk of an intrusion increases substantially, perhaps exponentially, with each user login due to the fact that logins are a vulnerable part of any security system. Logins are often compromised by a number of known methods and are the usual entry path for intruders.
The alternative implementation of a dual homed gateway is the provision of application gateways for specific network services. Application gateways have recently gained general acceptance as a method of implementing internetwork firewalls. Application gateways provide protection at the application level and the Transmission Control Protocol (TCP) circuit layer. They therefore permit data sensitivity checking and close loopholes left in packet filters. Firewalls equipped with application gateways are commonly labelled application level firewalls. These firewalls operate on the principle of "that which is not expressly permitted is prohibited". Users can only access public services for which an application gateway has been installed on the dual homed gateway. Although application level firewalls are secure, the known firewalls of this type are also inefficient. The principal disadvantage of known application level firewalls is that they are not transparent to the user. They generally require the user to execute time-consuming extra operations or to use specially adapted network service programs. For example, in an open connection to the Internet, a user can Telnet directly to any host on the Internet by issuing the following command:
Telnet target.machine PA1 Telnet firewall PA1 Telnet target.machine PA1 a) accepting from either network all communications packets that are encapsulated with a hardware destination address that matches the device address of the gateway; PA1 b) determining whether there is a process bound to a destination port number of an accepted communications packet; PA1 c) establishing a first communications session with a source address/source port of the accepted communications packet if there is a process bound to the destination port number, else dropping the packet; PA1 d) establishing a second communications session with a destination address/destination port number of the accepted communications packet if a first communications session is established; and PA1 e) transparently moving data associated with each subsequent communications packet between the respective first and second communications sessions, whereby the first session communicates with the source and the second session communicates with the destination using the data moved between the first and second sessions. PA1 a gateway station adapted for connection to a telecommunications connection with each of the private network and the potentially hostile network; PA1 an operating system executable by the gateway station, a kernel of the operating system having been modified so that the operating system: PA1 at least one proxy process executable by the gateway station, the proxy process being adapted to transparently initiate a first communications session with a source of an initial data packet accepted by the operating system and to transparently initiate a second communications session with a destination of the packet, and to transparently pass a data portion of packets received by the first communications session to the second communications session and to pass the data portion of packets received by the second communications session to the first communications session, whereby the first session communicates with the source using data from the second session and the second session communicates with the destination using data received from the first session. PA1 telnet publictarget.machine
However if the user is behind an application level firewall, the following command must be issued:
After the user has established a connection with the firewall, the user will optionally enter a user ID and a password if the firewall requires authentication. Subsequent to authentication, the user must request that the firewall connect to the final Telnet target machine. This problem is the result of the way in which the UNIX operating system handles IP packets. A standard TCP/IP device will only accept and attempt to process IP packets addressed to itself. Consequently, if a user behind an application firewall issues the command:
an IP packet will be generated by the user workstation that is encapsulated with the device address of the firewall but with an IP destination address of the target.machine. This packet will not be processed by the firewall station and will therefore be discarded because IP packet forwarding has been disabled in the application level firewall.
Known application level firewalls also suffer from the disadvantage that to date application interfaces have been required for each public network service. The known application level firewalls will not support "global service" or applications using "dynamic port allocations" assigned in real time by communicating systems.
Users on private networks having an application level firewall interface therefore frequently install "back doors" to the public network in order to run services for which applications have not been installed, or to avoid the inconvenience of the application gateways. These back doors provide an unscreened, unprotected security hole in the private network which renders that network as vulnerable as if there were no firewall at all.