Firewalls have become an increasingly important part of network design. Firewalls provide protection of valuable resources on a private network while allowing communication and access with systems located on an unprotected network such as the Internet. In addition, they operate to block attacks on a private network arriving from the unprotected network by providing a single connection with limited services. A well designed firewall limits the security problems of an Internet connection to a single firewall computer system. This allows an organization to focus their network security efforts on the definition of the security policy enforced by the firewall. An example of a firewall is given in "SYSTEM AND METHOD FOR PROVIDING SECURE INTERNETWORK SERVICES", U.S. patent application Ser. No. 08/322,078, filed Oct. 12, 1994, by Boebert et al., the description of which is hereby incorporated by reference. A second example of such a system is described in "SYSTEM AND METHOD FOR ACHIEVING NETWORK SEPARATION", U.S. application Ser. No. 08/599,232, filed Feb. 9, 1996, by Gooderum et al., the description of which is hereby incorporated by reference. Both are examples of application level gateways. Finally, "SECURITY POLICY MANAGEMENT SYSTEM AND METHOD", U.S. application Ser. No. 08/715,668, filed Sep. 18, 1996, by Stockwell et al. describes a system and method for regulating the flow of internetwork connections through a firewall, the description of which is hereby incorporated by reference. Application level gateways use proxies operating at the application layer to process traffic through the firewall. As such, they can review not only the message traffic, but also message content. In addition, they provide authentication and identification services, access control and auditing.
Application level gateways operate best on hardened operating systems. For example, the Sidewinder.RTM. product, built by the assignee of the present invention, is an application level gateway which operates on a hardened version of BSD Unix.
The advantage of having an application level gateway operate on top of a hardened operating system is that the routing of traffic through the gateway can be restricted to require that all traffic through the gateway pass through the application level proxy first.
To date, in order to harden the operating system, the programmer has required access to the operating system source code. In many instances, however, operating system manufactures are hesitant to give outside parties access to their source code. What is needed is a way of modifying an existing operating system so that it can be used as a firewall implementing an application level gateway without access to operating system source code.
For the reasons stated above, and for other reasons stated below which will become apparent to those skilled in the art upon reading and understanding the present specification, there is a need in the art for a system which provides a firewall that can be used with an indigenous stack without modification.