Web browsers are the most-used internet application. Yet, no known firewall to date has been able to solve the issue of protecting web browser traffic. This deficiency has left a gaping hole in the protection of personal computers from hackers and other cybersecurity threats.
Web browser traffic is unique in that a single application (i.e., the web browser) often communicates with a multitude of different sites—often with a user dynamically selecting new and unique sites on a routine basis. This behavior has provided a unique challenge to firewall security; a challenge that had not been solved by existing technology.
For example, traditional firewalls allow users to define which applications may or may not access the network. However, when it comes to a web browser, the moment this single application is allowed access, a limitless number of sites are then allowed to be contacted via this one application. Hackers typically simply piggyback on the allowed web browser traffic, providing them unfettered access to and control of the user's PC.
In fact, the moment any application is allowed access to the network, the entire PC generally becomes vulnerable to cyberattack. Trojans are computer programs which allow a hacker to take total and complete control over a user's computer. Well-written trojans attach themselves to any application that has network access. In doing so, the trojans then have unfettered, firewall-approved access to the internet; thereby, the trojans have unfettered, firewall-approved access to the user's computer as well.
The use of “whitelists” and “blacklists” has been the traditional attempt at limiting the impact of this real-world cyberthreat. However, hackers have responded by continually changing their IP Addresses and Domain Names, rendering “blacklists” obsolete. “Whitelists” are very useful for most internet applications—with the notable exception of web browsers. Many web browser users do not want to be confined to a previously approved list of sites. The restrictive nature of whitelists and the act of browsing are antagonistic with one another.
Whitelists and blacklists are traditionally applied to IP Addresses, ports, and applications. One whitelist/blacklist domain-name-based firewall's functionality is fully predicated on a “setup.” With respect to that “setup,” the firewall's controller functions to enforce the domain name rules to selectively allow or deny access to a website or other Internet node with the domain name rules being established using a setup methodology via a communications channel of a command line interface, a web based interface or other solutions. In other words, in this firewall, the controller specifically acts upon domain name rules (i.e., whitelist/blacklist rules) that are statically input during setup in a manner that would be known to those skilled in the art.
The aforementioned firewall is fully predicated on the use of the traditional statically input whitelist/blacklist approach with the sole difference being that the statically input whitelist/blacklist operates on a domain name basis in addition to IP Addresses and Ports. This conventional firewall may utilize a dynamic process to potentially alter the content of the traffic data itself during the screening process, but as for the establishment of the allow/block rules during setup, they are static, being typically input at the time of install by a network administrator.
In alternative embodiments of this conventional firewall, source IP address, destination IP address, and port being utilized can be statically input as part of the setup process. Traditional firewalls have long been using a whitelist/blacklist approach which is applied to statically entered source IP addresses, destination IP addresses, and ports being used.
In short, conventional firewalls have done nothing outside the static paradigm of preselected whitelists and/or blacklists, which are typically input at the time of setup by a network administrator. This is one of the limitations that makes conventional firewalls unsuited to the provision of dynamic user control over browser-based traffic.
To permanently end computer hacking, computer operators must be able to monitor and control all traffic going in and out of their computers. Traditional firewalls do indeed provide traffic monitoring in addition to traffic control. However, traditional firewalls place great emphasis on controlling traffic based on previously input static whitelists and blacklists; the firewall's monitoring functions are treated as a separate, if not ancillary, part of the security paradigm. Traditional firewalls are not designed to be a continually-viewable, integral part of the user's browsing experience. This, in turn, has resulted in monitoring functionality that is of little, if any, value to assisting the user in taking dynamic, real-time control over the internet traffic. This, in turn, has allowed computer hacking and cyberattacks to grow at an exponential rate.
Some firewalls do provide complicated mechanisms which could (in theory) be used by highly-sophisticated users to take control over a substantial amount of traffic flowing in and out of the computer (provided the user is not only highly-sophisticated, but also willing to invest an incredible amount of time, energy, and effort to take such control). Having to choose between security and convenience is part and parcel of the cybersecurity industry. Security experts are trained to view “Usability” and “Security” as inversely proportionate to one another. For example, consider the textbook CEH—Certified Ethical Hacker by Michael Gregg. On page 6, this textbook teaches that “Usability” and “Security” are inversely proportionate to one another. Moreover, the textbook teaches that this is a “Security Fundamental.” The textbook further teaches the presumed inherent inverse relationship using the diagram in FIG. 14. According to the textbook diagram: usability inherently decreases as security increases.
The presumed inverse relationship between usability and security is deeply ingrained in the minds of those ordinarily skilled in the art. For example, Luiz Firmino (CISSP, CISM, CRISC, CICISO) teaches the same presumed inherent inverse relationship between “security” and “ease of use.” Firmino uses the diagram in FIG. 15 to teach this presumption.
Trade magazines have further solidified this mindset. For example, in “Why Convenience is the Enemy of Security,” David Jeffers teaches that the choice between convenience and security “is a sliding scale that requires finding the right balance between the two.”
This widely embraced presumption has resulted in two types of cybersecurity software: easy-to-use but insecure, or difficult-to-use but very secure. In “Security vs. usability: No one's winning,” Rodney Gedda documents that “Usability of security software is partly to blame for low protection levels in many computers, according to international security experts.”
Those ordinarily skilled in the art of cybersecurity strongly view “Usability” and “Security” as inversely proportional; and this deeply ingrained paradigm is reflected in their design of cybersecurity products, including traditional firewall implementations. To those ordinarily skilled in the art, easy-to-use yet highly secure firewall embodiments are not only nonobvious, they are considered impossible.
When it comes to firewalls, the highest form of security is a “Deny-All Approach.” This approach begins by initially blocking all traffic; from that point forward, only traffic dynamically approved by the user is allowed through. This highest form of security has remained an elusive goal—likely due to the widely-held assumption that the highest form of security must inherently result in the lowest possible level of usability. This widely-held assumption prevents those ordinarily skilled in the art from even looking for a paradigm in which the highest form of security can be accomplished in a simple, easy-to-use manner. After all, such a notion runs contrary to the predominant cybersecurity paradigm.
In summation, the designers of traditional firewalls have failed to invent an easy-to-use, “Deny-All Approach” that is applicable to the unique characteristics of web-browser traffic. In fact, for those ordinarily skilled in the art, such a concept is considered inherently impossible.
Therefore, a need exists to solve the deficiencies present in conventional firewalls and their related methodologies. What is needed is an easy-to-use firewall that substantially secures a network. What is needed is a firewall that can be based on a dynamically updatable Deny-All Approach. What is needed is a firewall that is customizable to accommodate user traffic. What is needed is a firewall that integrates DNS traffic monitoring with traffic control of non-DNS data packets.