Networks connect many computers together allowing them to exchange data via communications lines. Several standards defining how such data exchanges should occur have been developed and implemented to ensure that computers and computer programs using the same protocols can successfully exchange data. One of the problems associated with the ability to exchange data is ensuring that a requestor entity, such as a user on a network, sometimes referred to as a client, is authorized to send messages to and to receive data from a server entity, such as another computer.
Firewalls are devices, such as programs or separate computer systems which were introduced in order to address the security problems associated with connecting a once private network such as a local area network connecting computers in an office, to an "Internet", where the data transmissions are open to eaves dropping, and the potential exists for "hostile" outsiders to disrupt network service or tamper with or attack systems residing on the private network.
There are a number of different classes of firewalls, each designed to address different types of security concerns. In spite of the different approaches, all firewalls perform a function know as "relaying", where Protocol Data Units (PDUs) are received by the firewall from a sending application entity and forwarded to a receiving application entity, possibly with some modifications to the original PDU. Since firewalls are designed to enforce a security policy, some information, or context, must be extracted from the PDUs and subjected to a set of rules. Based on the outcome of the rules check, the firewall performs an action; the PDU is either relayed, modified and relayed, or rejected in some fashion. The precise action is chosen by the designer of the firewall in order to affect the behavior of the system such that the security policy is satisfied. The action is of course subject to the constraints of the protocol the firewall is designed to support.
The Internet uses a simple transport protocol to provide a process to process communication service called User Datagram Protocol (UDP.) UDP is a protocol for processes to exchange datagrams such as messages between processes coupled via a network, Internet Protocol (IP) in this case. One important feature of the UDP protocol is that there is no assurance that a message will get through. It is said to be an unreliable communications protocol for this reason. No continuous connection is established, and since there is no maintenance of the states of messages to ensure delivery, there is very little overhead in implementing the UDP communication protocol. It is suitable for transfer of data such as network video, where there is no desire to spend time reconstructing lost frames of live video, and for audio communications, where the same considerations apply.
Processes communicating using UDP indirectly indentify each other using an abstract locator, often called a port or mailbox of a known host device along with the address of the host. Many common processes receive messages at fixed ports on each device on which they run. One process, known as a Domain Name Server (DNS) receives messages at port 53 for example. Following a first communication at such a port, processes may then agree on a different port number, which frees up the original port for other processes. A configuration file contains a list of hosts and ports which packets should be relayed between.
This points to a difficulty in implementing firewalls which protect servers from illegal messages. The firewall must find a way to accept messages that are not addressed to it. There is a need for this to be done with further multilevel checking of the messages without confusing the processes attempting to communicate. There is a further need to do this without modifying the client that is sending and receiving messages.