(1) Field of the Invention
This invention relates to a firewall system for monitoring communications between computer systems and networks.
(2) Description of the Art
It is known to use a firewall to protect a critical network from other networks connected to it. Critical computer networks handling sensitive or important information may be required to connect with other networks in order to exchange information. In making such a connection, the critical network's information becomes vulnerable, both to attack from users of the connected network and from errors in its own operation. A firewall controls which services provided by a critical network are available to computers on a network connected to the critical network, and vice versa. If the firewall operates correctly, it can provide a defence against attacks and errors by restricting the types of interaction that can take place between networks.
However, a firewall is a computer system running software for complex communications protocol handling and data checking, and in consequence is itself vulnerable to errors/failure and to attack. Several techniques are known for improving the robustness of firewalls by reducing their complexity, but these either limit the complexity of checks that can be performed or impair performance.
Firewalls operate with the aid of communications protocols which are built up in layers or levels, with services offered by one (lower) layer being used by a subsequent layer above it to implement a richer protocol. Layers arranged in succession upwardly may be referred to as the electrical level, link level, network level, transport level and session level. The network level provides for computers on the same network to communicate with one another, and the transport level provides for computers on different networks to communicate with one another. The network level is a relatively low level at which a firewall might operate. A firewall intercepts a lower level communication between two networks and performs some checks on that communication. The number of layers that are intercepted can be varied, providing a trade off between firewall strength and performance.
Firewalls that intercept at only a relatively low protocol layer are faster because minimal protocol handling is required. However they have limited effectiveness because attacks or errors occurring in protocol layers above the intercepted layer cannot be detected by them. In contrast, firewalls that intercept all the layers of protocol are slower because they must perform more protocol handling, but are stronger because they can check all information in the communications.
“Building Internet Firewalls”, D. Brent Chapman & Elizabeth D. Zwicky, O'Reilly 1995, ISBN 1-56592-124-0 is a text book which provides a standard, reference work for firewall construction. Cisco Systems of San Jose, Calif. offer a variety of firewall products. This indicates that it is known to construct a firewall having checks implemented by a software application running on a general purpose computer having a network protocol stack. The security weakness with such application level firewalls is that flaws, or configuration mistakes, in the network protocol stack or the checks may lead to the checks being bypassed.
US Pat. Appln. No. 2003/0167410 to Rigstad discloses an implementation of a Virtual Private Network using hardware and encryption. US Pat. Appln. No. 2003/0097431 to Dill discloses a computer working as a basic port filtering firewall platform. US Pat. Appln. No. 2003/0078377 to Chang discloses firewalls for CORBA services, managed by a central but distributed database but not an Internet firewall. Here “CORBA” is Common Object Request Broker Architecture, a protocol for communication between parts of a distributed application.
U.S. Pat. No. 6,141,749 to Coss discloses improving stateful inspection firewalls operating at lowest levels of protocol. U.S. Pat. No. 6,167,428 to Ellis discloses using networks of computers attached to the Internet to form a large parallel processor. It mentions a respective firewall processor in each computer controlling access to the computer's main processor, but does not disclose the nature of the firewalls themselves. U.S. Pat. No. 6,212,633 to Levy relates to adding security to Apple Computer's FireWire™ (IEEE 1394 communication media used for high speed peripherals such as digital video cameras). It discloses standard signature and encryption algorithms/techniques to make communication secure.
U.S. Pat. No. 6,701,432 to Deng discloses a hardware packet filtering firewall for low level packet communication. US Pat. Appln. No. 2002/0078377 to Cohen relates to stopping resource flooding attacks.
An alternative form of firewall is known which operates by signature checking. Here, checking of data in a message is carried out not by a firewall, but by a software application running on a computer network which is the source of the data. This approach is described by J Epstein in “Architecture and Concepts of the ARGuE Guard”, 15th Annual Computer Security Applications Conference, Phoenix, Ariz., USA, December 1999. Before releasing data, a source network carries out complex application-specific checks, such as gaining a user's approval for a message to be released. The source network then applies an unforgeable digital signature to the message to indicate that the checks have been passed, and sends it to the firewall. To establish whether or not the message can be released by the firewall for transmission to a destination network, the firewall then has only to validate the digital signature instead of the whole message.
The advantage of a signature checking firewall is that checking is simplified and so less prone to flaws. However, the network protocol stack still remains as a weak point, because problems with it may lead to signatures not being checked.
U.S. Pat. No. 6,032,259 to Nemoto discloses a firewall avoiding failures in the network protocol stack which might otherwise result in checks being bypassed. The firewall intercepts communication at the highest protocol stack level but forwards it using a simple dedicated communication mechanism rather than via the network protocol stack. In this way errors in the complex protocol stack software do not lead directly to checks being bypassed. This approach relies on the simplicity achievable with a dedicated communication mechanism, but this can only provide connections to single software applications on single computers. Also, the simplicity can only be achieved by using relatively slow communications media, e.g. old media like serial data links which can be driven by relatively simple software. This is because modern operating systems invariably drive new high performance communications media such as USB, Firewire and Ethernet using complex high level protocols, in order to make best use of resources. In these operating systems, media drive software is structured into protocol stacks for ease of design. Moreover, U.S. Pat. No. 6,032,259 does not address the possibility that an attacker might use a flaw in the complex protocol stack to gain control of the firewall and then drive the simple communication mechanism directly. Hence this approach is limited in terms of applicability, performance and security.
It is also known to use specially constructed operating systems to provide a more general solution to the problem of providing a firewall. “An Overview of the AMC WWMCCS CAT Guard”, R A Vick, Proc. 8th Annual Computer Security Applications Conference, San Antonio, Tex., USA, November 1992, discloses using features of a Wang operating system XTS-200 to provide two separate network stacks each driving a separate network interface. This approach ensures that flaws in a single network stack cannot lead to the checks being bypassed, even if they are exploited by an attacker. A related disclosure appears in “Lessons Learned During the Life Cycle of an MLS Guard Deployed at Multiple Sites”, Thomas Forino et al, Procs. 11th Annual Computer Security Applications Conference, New Orleans La., December 1995.
A potential solution to improve performance is to implement the firewall's function in hardware instead of software. Possible techniques are described in a master's dissertation for the University of Saskatchewan entitled “Silicon Firewall Prototype”, Cheng, Jin dated Dec. 8, 2003, URN etd-12152003-142455, and a paper “Specialized Hardware for Deep Network Packet Filtering”, Young H. Cho, Shiva Navab, William H. Mangione-Smith, International Conference on Field Programmable Logic and Applications (FPL), Montpellier, France, September 2002.