1. Field of the Invention
The present invention relates generally to computer security and, more particularly, to a system with methodology for securing individual end points.
2. Description of the Background Art
The first computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or “LANs”. In both cases, maintaining security and controlling what information a computer user could access was relatively simple because the overall computing environment was limited and clearly defined.
With the ever-increasing popularity of the Internet, however, more and more computers are connected to larger networks. Providing access to vast stores of information, the Internet is typically accessed by users through Web “browsers” (e.g., Microsoft® Internet Explorer or Netscape Navigator) or other Internet applications. Browsers and other Internet applications include the ability to access a URL (Universal Resource Locator) or “Web” site. In the last several years, the Internet has become pervasive and is used not only by corporations, but also by a large number of small business and individual users for a wide range of purposes.
As more and more computers are now connected to the Internet, either directly (e.g., over a dial-up or broadband connection with an Internet Service Provider or “ISP”) or through a gateway between a LAN and the Internet, a whole new set of challenges face LAN administrators and individual users alike: these previously closed computing environments are now open to a worldwide network of computer systems. A particular set of challenges involves attacks by perpetrators (hackers) capable of damaging the local computer systems, misusing those systems, and/or stealing proprietary data and programs.
The software industry has, in response, introduced a number of products and technologies to address and minimize these threats, including “firewalls”, proxy servers, and similar technologies—all designed to keep malicious users (e.g., hackers) from penetrating a computer system or corporate network. Firewalls are applications that intercept the data traffic at the gateway to a Wide Area Network (“WAN”) and check the data packets (i.e., Internet Protocol packets or “IP packets”) being exchanged for suspicious or unwanted activities.
Another security measure that has been utilized by many users is to install an end point security (or personal firewall) product on a computer system to control traffic into and out of the system. An end point security product can regulate all traffic into and out of a particular computer. One such product is assignee's ZoneAlarm® product that is described in detail in U.S. Pat. No. 5,987,611, the disclosure of which is hereby incorporated by reference. For example, an end point security product may permit specific “trusted” applications to access the Internet while denying access to other applications on a user's computer. To a large extent, restricting access to “trusted” applications is an effective security method. However, despite the effectiveness of end point security products, issues remain in protecting computer systems against attack by malicious users and applications.
One particular problem that remains is how to secure individual end points—that is, the individual computers and devices that access a firm's data (e.g., data stored on corporate servers). Today's environment is characterized by insecure end points accessing data. This results from the fact that one normally assumes that one's own internal end points (e.g., within a corporate setting) can be trusted, since those end points already benefit from some degree of protection. Traditionally, corporate networks have been built with the notion that end points are protected, and a perimeter is used as an enforcement point (e.g., firewall, VPN server, etc.). That basic perimeter enforcement structure works fairly well, but it has a couple of disadvantages. First, security policy assignment (i.e., which policy is used for each user) is somewhat complicated, since at the perimeter there is not much differentiation between users (i.e., at the packet level of incoming and outgoing network traffic). Second, with the ever-increasing availability of wireless network access points, the assumption that there is some sort of a protected or trusted environment within one's enterprise becomes an increasingly more problematic assumption to make. For example, a corporate network can be compromised simply by an individual (authorized or not) plugging in an inexpensive wireless hub into the corporation's internal network. Thus, with the advent of inexpensive wireless hubs, corporate networks have become increasingly susceptible to compromise.
With this present-day situation, security policy assignment is complicated since it is based not only on user and user group (membership/identifications), but it also may be based in part on the particular network that a given user is coming from (i.e., has logged onto). Ultimately, it would be easier to assign a policy based simply on what particular data a given user is actually accessing. Policy assignment is further complicated with existing approaches because of the multitude of paths available for a given user to access a network. Within a large enterprise, the different pathways available from an arbitrary end point to a corporate server are difficult to describe in a manner that would allow simple policy assignment. Thus, in a complicated enterprise network, the traditional choke points are not always available that would allow a convenient point of enforcement/policy assignment.
Another complication with existing approaches is that they rely on different types of technologies, such as encryption, to protect different segments of a network. In many cases, however, this cannot be done reliably. For example, for a VPN solution, a VPN box (hardware) is installed on the home perimeter. Everything on the unencrypted side of the VPN box is susceptible to attack. This vulnerability applies not only to the one end point that one is trying to protect (with VPN) but also any other machine that is connected to that end point as well.
FIG. 1A is a block diagram illustrating a classic network environment with remote access. As shown, the environment 100 includes a remote client 110 comprising an end point computer 111 that connects over the Internet to an enterprise network 120 via a VPN CPE (client premises equipment) device 112. At the enterprise network 120, the incoming remote connection passes through a VPN gateway/firewall 121, which then allows authenticated connections to connect to a server farm 125 (e.g., collection of corporate servers). Each of the segments is traditionally protected using different types of technology. For example, the enterprise network 120 relies on physical security (i.e., that no unauthorized individual is able to access the network) as an important component of its protection. At the remote client 110, the firm is relying on other measurements—that is, the VPN CPE device 112 to secure the end point computer 111.
Although the network environment 100 shown in FIG. 1A appears to be relatively secure, suppose an individual (authorized or not) installs a wireless hub. FIG. 1B is a block diagram illustrating the network environment of FIG. 1A (now shown as 100a) after placement of a wireless hub 131 inside the enterprise network 120. This immediately places the network at risk. More particularly, the conventional enforcement or choke point at the gateway 121 is ineffective for enforcing security for connections to the wireless hub 131. For example, unauthorized end point computer 133 (e.g., laptop with 802.11b or 802.11g wireless connectivity) may connect to the enterprise network 120 via the wireless hub 131, thereby bypassing security enforcement at the gateway 121. Similarly, an individual can install a wireless hub at a remote node, such as a VPN client. FIG. 1C is a block diagram illustrating the network environment of FIG. 1A (now shown as 100b) after placement of a wireless hub 141 inside the remote client 110. Again, this immediately places the network at risk, since an unauthorized end point computer 143 may connect to the enterprise network 120 via the wireless hub 141. Here, the conventional enforcement at the gateway 121 may be ineffective for enforcing security for connections to the wireless hub 141, since the gateway believes that the traffic is coming solely from the authenticated end point computer 111.
All told, with the advent of such technologies as low-cost wireless access points, it is becoming increasingly more difficult to protect the different segments of a network environment using traditional means. What is needed is a system providing methodology for ensuring that the individual end points themselves are secure. The present invention fulfills this and other needs.