1. Field of the Invention
This invention relates to computer network security. Particularly, this invention relates to protecting computers in a network from malicious network traffic using programmable packet filters.
2. Description of the Related Art
Most large software applications written in languages such as C or C++ have a number of potential security flaws in them. In many cases, malicious packets crafted by a remote attacker can either crash the application or, as is becoming more common, take over the application and allow the hacker to execute his own malicious code. The latter is facilitated by a number of freely available frameworks enabling this form of attack.
In response, the conventional wisdom among application developers is to review their code to try and reveal dangerous programming practices that may allow maliciously crafted packets to overflow buffers and to test for this type of vulnerability. Another technique uses “fuzzers” which semi-randomly create packets to try and expose programming errors in handling such packets. However, both these activities are imperfect, as they are susceptible to human error allowing vulnerabilities in the software to remain.
In addition, there is an increasing demand that application vendors respond rapidly with patches when such vulnerabilities arise. However, this can be difficult, as the time to fix an application, test the fix and then deploy it can be excessive and provide a window for hackers to exploit the vulnerability. To help cover this period of vulnerability, an industry has emerged that provides specialized firewalls for all traffic to pass through, prior to reaching the application. These firewalls are programmable hardware devices that can typically be configured on the fly to identify potentially dangerous packets and discard these packets before they reach the application. However, these specialized devices have some shortcomings.
All network traffic has to be routed through such firewalls and thus they present a network bottleneck. Care must also be taken that all key application servers are positioned behind such firewall devices. This can be a particular problem if one is trying to protect a large number of servers in branch offices, for example.
In addition, such firewall devices are expensive to procure as a service contract is usually also required to update these boxes with the digital signatures of malicious packets. Moreover, users pay for the protection they provide to hundreds of different applications, even if in a particular installation only employs one or two applications. For example, a user may pay for the overhead of companies such as ISS, TippingPoint or iDefense to collect information on all vulnerabilities across all enterprise products.
Finally, such firewall devices are typically only implemented as a stop-gap solution between the time when a vulnerability is detected and when an application vendor releases a true fix and it is deployed by their customers after suitable regression testing. Whenever a vulnerability is detected in a product the vendor and customers have to go through the time and expense of putting a new version of the product into service.
FIG. 1A illustrates a system of computers 100 that uses the current method of protecting against malicious packets. The computers 102A-102C each contains multiple applications 104A-104I that are accessed via a wider network, identified as the internet 106. Between the applications 104A-104I and the internet 106 is the firewall device 108. The firewall 108 is the tool used to protect the applications from malicous packets designed to crash or exploit the applications security vulnerabilities. The protective nature of the firewall 108 is represented by the broken border pattern. All of the computers 102A-102C are connected to the firewall 108, and the firewall 108 connects to the internet 106. The described bottleneck is illustrated as there are connections to the firewall 108 from the computers 102A-102C and only one connection on the opposite side to the internet 106. Some different security techniques for protecting computers from connections to unprotected networks have been developed.
U.S. Patent Application Publication No. 2006/0256716 by Caci, published Nov. 16, 2006, discloses an electronic communication control device suitable for embedding into a network interface card or a line card of a switch or router. The electronic communication control device is capable of communications in multiple protocols. The processing architecture of the electronic communication control device may be adapted for any communications protocol and may be well suited for Internet protocol. The electronic communication control device may perform protocol translation, for example, between IPv4 and IPv6. An exemplary embodiment of the electronic communication control device includes a parallel processing chipset operating on multiple busses with embedded software. The electronic communication control device provides a hardware architecture upon which embedded software may operate to provide services, such as, for example, system control, packet analysis, packet filtering, translation services, switching, routing and/or multiplexing control.
U.S. Patent Application Publication No. 2006/0253902 by Rabadan et al., published Nov. 9, 2006, discloses a method, system and apparatus for filtering data packets through an integrated network security device. Various security operations are performed on the data packets belonging to a network connection while they pass through the integrated network security device in a communication network. A classification engine is applied to the first packet of the connection. The result of this filtering is stored in a per-connection control key, and determines which of the security operations must be applied to each of the data packets of the connection. These security operations may be prioritized and re-ordered, based on the rate at which they detect and drop malicious data packets.
U.S. Patent Application Publication No. 2006/0206936 by Liang et al., published Sep. 14, 2006, discloses that in one embodiment, a network security appliance includes a logic circuit, a network processing unit, and a general purpose processor to protect a computer network from malicious codes, unauthorized data packets, and other network security threats. The logic circuit may include one or more programmable logic devices configured to scan incoming data packets at different layers of a multi-layer protocol, such as the OSI-seven layer model. The network processing unit may work in conjunction with the logic circuit to perform protocol parsing, to form higher layer data units from the data packets, and other network communications-related tasks. The general purpose processor may execute software for performing functions not available from the logic circuit or the network processing unit. For example, the general purpose processor may remove malicious code from infected data or perform malicious code scanning on data when the logic circuit is not configured to do so.
U.S. Patent Application Publication No. 2005/0108434 by Witchey, published May 19, 2005, discloses a method and embedded system for connecting a legacy device to a network are provided. The system includes a firewall module that can be configured by embedded system firmware to filter data packets when data packets do not match pre-determined rules; determines if data is intended for an allowed port; and discards data if data is not for an allowed port or an allowed address. If address and data port are allowed, then data is transmitted to the network. The method includes, determining if a data packet is from an allowed address, wherein an embedded system coupled to the legacy device uses a firewall module to filter data packets when data packets do not match pre-determined rules; determining if data is intended for an allowed port; and discarding data if data is not for an allowed port or an allowed address.
U.S. Patent Application Publication No. 2004/0143751 by Peikari, published Jul. 22, 2004, discloses a method and apparatus for increasing the security of data processing devices that use embedded operating systems (embedded devices). This invention utilizes an “embedded firewall” that improves security of the device by selectively filtering communication directly on the embedded device itself, rather than relying on an external firewall. In a preferred embodiment, this is achieved by (1) entering the desired filter specification at the user layer using an embedded user interface (UI) program or an imported specification file, (2) compiling the specification to be subsequently used by the embedded filtering engine, (3) using an embedded dynamic link library (DLL) as an intermediary to isolate the user program from the lower kernel level, thus providing a system-independent interface, (4) communicating the specification to the kernel layer using the embedded DLL, (5) monitoring packets in the kernel level as they enter from the lower network level using an embedded packet driver, (6) filtering packets at the kernel level using the embedded filtering engine and the previously defined filter specification, (7) reporting the results from the kernel level back up to the user level through the embedded DLL.
U.S. Patent Application Publication No. 2004/0059943 by Marquet et al., published Mar. 25, 2004, discloses a packet filter for filtering data packets in a communications network. The packet filter has input and output ports for receiving and transmitting respective data packets. A data filter selectively passes packets from the input port to the output port in accordance with filtering policies. A policy manager determines filtering policies and controls operation of the data filter. The policy manager is independent of its implementation and not related to any particular operating system. This independence allows for a generic path of managing policies across devices implementing a system and for more flexibility in the implementation of packet filters. Flexibility may be enhanced by implementing the policy manager in system-on-chip technology.
In view of the foregoing, there is a need for systems and methods to protect applications from received malicious packets that operate efficiently without creating a network bottleneck. Further, there is a need for such systems and methods to provide protection for computer applications that receive packets without having to develop a new version of the application. There is also a need for such systems and methods to be quickly updated to protect against new threats. These and other needs are met by the present invention as detailed hereafter.