A packet is a discrete amount of data transmitted between computers. Packets are transmitted from one computer to another computer using a protocol. Transmission Control Protocol (TCP) is a common protocol and governs the breakup, transmission, reassembly, and verification of the complete messages from one computer to another via Internet Protocol (IP) addresses. Many other types of protocols exist including Simple Mail Transfer Protocol (SMTP), Point to Point Protocol (PPP), Internet Control Message Protocol (ICMP), and User Datagram Protocol (UDP). Packets contain a header containing the IP source address, the IP destination address, the type of protocol (i.e. TCP, UDP, or ICMP), the TCP or UDP source port, the TCP or UDP destination port, and the ICMP message type. Use of protocols to transmit packets is well known in the art.
Firewalls are used in designing and building computer networks and are also well known in the art. A firewall is a device that filters data between two computers or networks to insure that one computer or network is more secure than the other computer or network. Firewalls are divided into one of two categories depending on their function. Packet filtering firewalls are used when connecting to the Internet to keep worms and viruses away from the protected computers. Proxy firewalls are used to monitor, control, and record outbound traffic to the Internet. The traffic consists of packets transmitted from one computer or network to another computer or network.
The internal structure of a packet filtering firewall contains a switch connected to two computers or networks and a set of rules stored in memory. When one computer or network attempts to transmit a packet through a firewall to another computer or network, the firewall analyzes the packet and determines if the rules in the firewall permit or deny passage of the packet. The rules are specific to the packets and are defined by security policies. Policies are broader than rules and define what type of access the protected computer should have. For example, if the security policy were to prohibit access to pornographic web sites, then the rules would prohibit X-rated material, vulgar words, and so forth. While the security policies tend to broadly define the limits of the computer's access to the Internet, each rule is very specific in the type of packet permitted or denied from being transferred across the firewall. As an example, a very simple set of rules would look like:
TABLE 1Sample RulesRuleActionProtocolSourceDestination1PermitUDPAny10.0.0.12DenyUDPAny10.0.0.23PermitSMTP10.0.0.010.0.0.2554PermitIPAny10.0.0.35DenyIPAnyAnyGenerally, if the packet is not permitted by one of the rules, the packet is denied. Because of the technical and complex nature of rules, the creation and order of rules is best accomplished by a person of ordinary skill in the art.
FIG. 1 is an illustration of the security configuration associated with a firewall. In FIG. 1, firewall 42 is installed between Internet 40 and computer 44. As can be seen in FIG. 1, the prior art only allows two security zones: a secured zone and an unsecured zone. In the example depicted in FIG. 1, firewall 42 analyzes packets transmitted between Internet 40 and computer 44 and blocks the transmission of packets denied by the rules in firewall 42. Every packet transmitted from Internet 40 to computer 44 is analyzed by firewall 42 and is compared to all of the rules until the packet is permitted or denied by a rule. If the packet is not permitted under one of the rules, the packet is denied.
A router is a device which connects a plurality of computers or computer networks to the Internet. Routers are also well known in the art. Because routers and firewalls are frequently used together, it is common for packet filtering firewalls to be installed within routers. FIG. 2 is an illustration of a prior art router with a firewall installed. Router 50 is connected to Internet 40, and a plurality of Virtual Local Area Networks (VLANs) 62. VLANs 62 are computer networks that communicate with each other and have access to Internet 40. Router 50 contains switch 52, processor 54, and memory 56 containing rules 58. Switch 52 contains a plurality of network interface cards and is the actual connection between Internet 40, processor 54, and VLANs 62. When Internet 40 attempts to transmit a packet through router 50 to one of the VLANs 62, processor 54 analyzes the packet and determines if rules 58 permit the packet. If rules 58 permit the packet, then the packet is transmitted to its destination. If the rules 58 deny the packet, then the packet is blocked and sent back to its source or deleted.
One of the shortcomings of prior art firewalls is that the firewalls only create two security levels: a secured area and an unsecured area. However, when configuring a complicated computer network, such as an intranet, many different security levels are desired. In order to achieve multiple security levels, a network administrator must install a plurality of prior art routers and/or firewalls in the intranet. FIG. 3 illustrates a simplified network configuration in which a plurality of security levels are obtained through multiple routers and/or firewalls. Internet 40 is generally considered unsecured and thus receives a security level of 0. Packets must pass through router/firewall 50 before reaching network servers 70. The network is protected by firewall 50 and thus receives a security level of 1. Network servers 70 serve a plurality of workstations 72. While the security level for network servers 70 may be the same as workstations 72, an increased security level is desired for administrative and backup networks. Therefore, packets must pass through an additional router/firewall 50 with additional rules before reaching backup servers 74. Because packets must pass through backup firewall 50 with additional rules, backup servers 74 have a security level of 2. Finally, the administrator usually desires that administrative networks receive the highest level of protection. Therefore, packets must pass thorough router/firewall 50 with the most stringent rules before reaching administrative servers 76. Because of the stringent rules in administrative firewall 50, administrative servers 76 are given a security level of 3.
One of the problems with the computer network configuration depicted in FIG. 3 is that each router/firewall is expensive and time consuming to install, configure, test, and maintain. The process of installing, configuring, testing, and maintaining the firewall is substantially dependent on the number of individual firewalls. The number of firewalls cannot be reduced using the prior art firewalls because the prior art firewalls do not allow the network administrator to use a single firewall to create multiple security levels. Therefore, a need exists for a method of reducing the number of firewalls in a computer network configuration.
The prior art firewalls are limited in that an individual firewall is needed for each security boundary. Even with the prior art routers supporting multiple computer networks, the firewall within the router is not able to create different security levels within the individual computer networks. Because a router can connect to multiple computer networks, it would be useful if the firewall could create multiple security levels in the computer networks because a network administrator could then utilize a single firewall where a plurality of firewall were previously required. In other words, the network administrator will have created a plurality of virtual firewalls from a single firewall. Therefore, a need exists in the art for a firewall that allows a network administrator to create multiple security levels using a single firewall.