Referring to FIG. 1, a typical firewall 101 is placed between a Local Area Network (LAN) 103 and outside networks 111, 115. LAN 103 may include a plurality of internal hosts 105, 107, 109. Outside networks 111 can be networked through the Internet 117. Outside network 115 may also include its own firewall 117. Internal hosts 105, 107, 109 and remote hosts 119, 121 are computers, e.g., personal computers (PC) or computer workstations. Firewall 101 includes a combination of computer hardware and software components configured to protect LAN 103, i.e., preventing unwanted intrusions from outside networks 111, 115.
In order to exchange information, e.g., sending a message from remote host 119 to internal host 105, a connection 125 is established by sending a plurality of packets therebetween. A packet is a basic message unit routed between a source computer and a destination computer, e.g., remote host 119 and internal host 105, respectively, in a packet-switched network depicted in FIG. 1. For example, when a file, e.g., an e-mail message, HTML file, or other similar message, is sent from a source computer to a destination computer, the file is broken into a plurality of packets. (Here, HTML, Hypertext Markup Language, is a set of “markup” symbols or codes, which instructs a Web browser how to display a Web page's words and images.)
More specifically, a Transport Control Protocol (TCP) module of a TCP/IP layer in a source computer divides the file into packets of an efficient size for transmitting over the network. Each packet includes header information, e.g., a destination address and a source address, and content information, i.e., the broken up message file. Further, the plurality of packets from the file includes a plurality of connection control packets and data transfer packets. The connection control packets include at least one connection establishing packet, e.g., a SYN packet, and at least one connection disconnection packet, e.g., RST, FIN, FIN-ACK packets. The data transfer packets include the pieces of the broken up file. Individual packets for a given file may travel different routes through the packet switching network. When the packets from one file have all arrived at their destination computer, they are reassembled into the original file by a TCP module in the destination computer.
Here, the TCP module is a communication protocol used along with the Internet Protocol (IP) to send data in the form of packets between a source and destination computers. While the IP module performs the actual delivery of the data, the TCP module keeps track of the individual packets that a file is divided into for efficient routing through the Internet.
OSI (Open Systems Interconnection) is briefly described here to provide the context in which the present invention is discussed later. OSI is a reference model for the layer of common functions in a communications system. Although many existing hardware and software products have been developed on a slightly different model, the OSI model is often used as a guideline when new products are designed and serves as a common reference for understanding any particular design or comparing it with others.
OSI includes seven layers:                The application layer (layer 7) is a layer at which a user interacts with a computer to view messages or send data requests or responses.        The presentation layer (layer 6) is a layer, usually part of an operating system, that converts incoming and outgoing data from one presentation format to another (e.g., converting a text stream into a popup window with a newly arrived text string).        The session layer (layer 5) manages the establishment of a continuing series of requests and responses between the applications at each end of a communication connection.        The transport layer (layer 4) manages the end-to-end control (e.g., determining whether all packets have arrived) and error-checking.        The network layer (layer 3) handles the routing of the data (sending it in the right direction to the right destination on outgoing transmissions and receiving incoming transmissions at the packet level).        The link (or data-link) layer (layer 2) provides error control and synchronization for the physical level and does bit-stuffing for strings of 1's in excess of 5.        The physical layer (layer 1) conveys the bit stream through the network at the electrical and mechanical level.        
Referring back to FIG. 1, the basic task of firewall 101 is to separate internal network 103 from outside networks 117, 115 and enforce security policies with a set of rules. The most common firewall features include: securing internal network 103 access with a perimeter defense, controlling all connections into and out of internal network 103, filtering packets according to previously defined rules, “authenticating” or making sure users and applications are permitted to access resources, logging of activities, and actively notifying the appropriate people when suspicious events occur.
Conventional firewalls include only one of a packet filter, an application proxy and a stateful inspection.
A packet filter examines each incoming packet and decides what actions to take by checking against a table of access control rules. The packet filter, in its simpler embodiments, examines the header information of each incoming packet and makes pass/fail decisions based on their source and destination addresses. A weakness of such a firewall is that the content information of the packets is unknown to the firewall. More specifically, because packet filters perform their checking at the network access layer, there is no real knowledge of application level vulnerabilities. As a result, direct connections are allowed between a source and destination computers through firewall 101, exposing internal hosts 105, 107, 109 to direct attacks.
An application proxy does not allow direct contact between a ‘trusted’ and ‘untrusted’ networks. Each of the packets passing through this type of firewall is examined at the application layer—meaning the application proxies understand the destination and contents of packets. Such a firewall, for example, distinguishes between “FTP Put” and “Get” commands. A typical application proxy includes a built-in proxy function also known as a transparency function. The transparency function replaces the IP address of a host on the internal protected network with its own IP address for all traffic passing through. The transparency function provides added security, because it hides the addresses of internal hosts. This makes it more difficult for hackers on the outside to target specific devices inside such a firewall. For this higher security, however, the application proxy requires large amounts of processing power and a corresponding loss of performance.
Finally, a stateful packet filter examines packets without examining the packets as well as that of an application proxy. After a packet filter firewall or stateful inspection firewall has decided to allow a connection to be made, it allows data to travel directly between the networks without further inspection. Once a session is opened, the nature of the session can be changed without being detected. This allows for more speed, but also creates potential security risks as well. Again, making internal hosts 105, 107, 109 vulnerable to attacks from outside.
Accordingly, there exists a need for a firewall method which makes it possible to dynamically select the best procedures from existing firewall methods to achieve the required level of security while meeting performance constraints.
Further, the definitions of network communication terms and phases can be found in Andrew S. Tannenbaum, “Computer Networks” 2nd ed., (1989), the contents of which are herein incorporated by reference. Information on network programming can also be found in W. Richard Stevens, “Unix Network Programming” (1990), the contents of which are herein incorporated by reference.