The present invention generally relates to firewall systems for controlling connections between client machines and networks.
In recent years, computer-related malware has undergone very rapid development, becoming ever more sophisticated. Computer systems today are subject to numerous forms of attack, by viruses, worms, spyware, rats (remote access trojans), and so on. While attacks were mostly for fun or vandalism in the early days of computer malware, these days we increasingly see malware created by criminals for personal profit. One of the very critical problems is the increasing number of trojan programs, i.e. malicious programs installed on a computer without the knowledge of the user, which compromise the system and typically reach out to the Internet to report confidential information (such as bank account passwords) to the attacker, or to make the compromised system a part of a BotNet which can later be used for criminal purposes (such as spamming, DDOS (Distributed Denial of Service) attacks, etc.). Increasingly, such BotNets are becoming valuable in their own right as they can be ‘rented’ on the underground for malicious purposes. These trojan programs can be introduced in a variety of ways, e.g. via worms, emails or downloads. By way of illustration, a recent study of machines connected to the Internet found 20% to be infected by viruses or worms and up to 80% infected with spyware.
Malware of the type described above is often combined with pieces of software known as ‘rootkits’. These rootkits operate by intercepting normal system operation in order to hide the existence of the associated malware from the user or even the system administrator. This is done in some cases by changing system binaries, but it can also be done in a more sophisticated manner in deeper levels of the system. In any case, common to the most dangerous types of malware is the fact that they reach out from the local machine, be it in the case of trojans back to the attacker via the Internet, or in the case of worms to further spread the worm.
Various schemes have been proposed which aim to provide some level of security against malicious attacks of the type described above. The Trusted Computing Group (https://www.trustedcomputinggroup.org/home) promotes open industry standards and specifications for hardware building blocks and software interfaces designed to enhance security against attacks. The heart of the Trusted Computing system is a dedicated integrated circuit known as a Trusted Platform Module (TPM). This provides secure storage for security-critical information as well as functionality for security-related operations such as attestation. The attestation process involves supplying cryptographic checksums (hash values), generated from measurements of hardware and software configurations in a system at boot-time and on subsequent configuration changes, to a remote verifier where they can be compared with known values for a trusted system to verify that system integrity is intact. In the typical attestation approach of the verifying server the client application is modified (e.g. the web browser or mail client) to accommodate the system. A radical approach to Internet security is proposed in “Architecting a Secure Internet”, Saikat Guha et al, http://nutss.gforge.cis.cornell.edu/pub/sosp05wip-guha.pdf. This involves establishing connectivity through the Internet only when needed, i.e. the default being ‘no connection’, requiring changed infrastructure and protocols for the Internet as a whole. The Cisco Network Admission Control (NAC) system described in http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html employs a local agent on the client machine which gets interrogated during the first connection phase by the NAC server for the security posture of the client. If this is deemed sufficient, the client will be allowed to connect to the local network. Checking is restricted to the initial network connection, or scheduled polling, and the decision of the NAC server is ‘black-and-white’, i.e. either connected or not connected. “SOCKS: A protocol for TCP proxy across firewalls”, Ying-Da Lee, http://ftp.cerias.purdue.edu/pub/tools/dos/socks.cstc/socks4/SOCKS4.protocol describes a protocol relaying TCP (Transport Control Protocol) connections across a firewall.
Before connecting to the Internet, a connection is made to the SOCKS demon which allows use of a very simple form of checking the connecting machines using the Identd protocol which are supported by the endpoints. Use of this system necessitates modifications in the client, and the setup is dependent on the specific network protocol.
Aside from schemes like the above, the main measures employed today to counter malware attacks are local installation of scanning tools like antivirus and spyware tools and local installation of personal desktop firewalls. These have a number of drawbacks. For example, the mechanisms are static: firewalls, for example, rely on decisions of users to create static rules allowing certain executables to access certain network ports/destinations. They also demand user expertise: for previously unknown (i.e. non-preconfigured) connection requests from local software, the user of the machine is prompted to deny or allow the access request. Very often the user has insufficient expertise to make these decisions, leading to ‘holes’ in the firewall through inappropriate choices of the user. There is the additional difficulty of administration and maintenance: how to place the software on every desktop and how to keep it up-to-date with signatures for example. Further, operation is mostly based on signatures for known-bad software, so systems are not ready for day-zero exploits for which signatures are not yet available. In addition, the placement of these security mechanisms on the local machine allows malware, after a successful compromise, to disable the security mechanisms or hide from them. In this regard, “Flexible OS Support and Applications for Trusted Computing” Tal Garfinkel et al, http://www.stanford.edu/˜talg/papers/HOTO03/trusted-hotos03.pdf describes the general idea of using a virtual machine as a secure vantage point for a simple, local firewall. Besides the advantage of better protection from local compromises of the main virtual machine of the client, this approach corresponds completely to a normal personal desktop firewall.