A critical computer network that receives data from outside is vulnerable to attacks that place code in the data. For this reason, such networks are usually protected by firewall processors which check the data to ensure that it contains no code.
Many products are available to provide this kind of protection, including Firewall-1 from CheckPoint Software Technologies Limited.
However, a sophisticated attacker might use malformed data to take control of the firewall itself. Such attacks work because software that mishandles malformed data often fails in such a way as to execute some portion of the data. The attacker can contrive to cause the software to fail and execute data of their choosing, thus giving them control of the firewall. Once the attacker has control of the firewall they are generally free to access the resources of the critical network in arbitrary ways.
Referring to FIG. 1, communications protocols are built up in layers 1, with the services offered by one layer being used to implement a richer protocol at the next layer. Firewalls 2 operate by intercepting the lower layer communications between two networks and performing some checks on that communication. The number of layers that are intercepted can be varied, providing a trade off between strength and performance.
Firewalls that intercept only the very lowest protocol layer are faster because minimal protocol handling is required. However they have limited strength because attacks or errors occurring above the intercepted layers pass unseen. In contrast, firewalls that intercept all the layers of protocol are slower because they must perform more protocol handling, but are stronger because they can check all information in the communications.
It is well known how to construct firewalls using software and a general purpose computer with two network interface cards. The book “Building Internet Firewalls” by Zwicky et. al. and published by O'Reilly provides a standard reference and Cisco Systems of San Jose, Calif. offer a variety of products.
The security weakness with such application level firewalls is that any flaws, or configuration mistakes, in the network stack may lead to the checks being bypassed.
Referring now to FIG. 2, the weakness of the network stack was noted by Nemoto who disclosed a solution (U.S. Pat. No. 6,032,259) that avoided failures in the protocol stack resulting in the checks being bypassed.
In Nemoto's solution an external computer 3 (referred to in that patent as “outside host”) uses an application proxy 4 to intercept communication at the highest level and forward it to the firewall 5 (“inside host”) using a simple dedicated communication mechanism rather than a network interface. In this way errors in the complex protocol stack software of the firewall do not lead to the checks being bypassed.
Nemoto's solution relies on the simplicity that can be achieved by using a dedicated communication mechanism. However, Nemoto's solution excludes the use of fast network interfaces, because these allow shared use and require complex software to control them.
If Nemoto's solution were used with a complex communication mechanism, the software required in the firewall would be complex. Any errors in this software would leave the firewall open to attack from the external computer, which is itself open to attack from other computers on the external network.
Hence Nemoto's solution is limited in terms of the performance it can deliver and this cannot be improved without affecting confidence in the security of the solution.
Referring now to FIG. 3, a potential solution to improve a firewall's vulnerability to implementation flaws in the protocol stack is to implement the firewall's function in hardware. Possible techniques are described in Cheng's master's dissertation for the University of Saskatchewan entitled “Silicon Firewall Prototype” and the paper “Specialized Hardware for Deep Network Packet Filtering” by Cho et. al. of the University of California in Los Angeles.
These hardware solutions reproduce the protocol handling 6 and checking 7 functionality of a firewall 8 using logic gates rather than software. Logic gates cannot, under operational conditions, be rearranged while software can be modified “on-the-fly”. As a result, the attacker is denied the possibility of gaining control over the firewall's protocol stack.
However, the complexity of standard Internet protocols is such that the techniques are only practical for lower layer protocols, such as TCP/IP, rather than application level protocols such as SMTP.
The fact that these hardware firewalls can, in practice, only apply checks to lower level protocols means they are easily defeated if mistakes occur in the higher level protocols.
Referring now to FIG. 4, an alternative arrangement of hardware logic which works at the application protocol level is described in co-pending international patent application GB05/001844. This describes how a simple hardware device 9 can apply a simple digital signature check 10 to application data passing from one network to another.
This solution avoids relying on the correct operation of any complex network stack by running the check directly in the hardware device that is handling the low level communications. Complex application specific checks are accommodated by performing them on separate computers within the protected network and then applying a digital signature to the data to signify that it has been checked. It is this digital signature that is validated by the hardware device.
Such a solution is not, however, applicable for data sent into a protected network from a potentially hostile network. This is because the application-specific checkers would be hosted on the hostile network and so are prone to attack, allowing an attacker to have a digital signature applied to data that should not be allowed to enter the protected system.