1. Field of the Invention
The invention relates generally to computer security. More particularly, this invention relates to a computer security system that provides intelligent firewall protection.
2. Background Art
As society's dependence on computers increases, the importance of security for computers and their networks also increases. Threats such as hackers can shut down or damage large computer networks and cost significant amounts of money, resources, and time. Security measures to prevent such incidents are constantly evolving along with the nature and sophistication of the threat.
One technique to protect a computer network from external threats is by using a “firewall”. A firewall is a combination of hardware and software that is placed between a network and its exterior. FIG. 1 shows a schematic of a prior art network 10 with a firewall. The network 10 includes a series of users 12a-12d that are linked and controlled through a server 14. The device could also be a router or a switch for the network. A firewall 16 is installed between the server 14 and the network exterior 20. The server 14, the firewall 16, and the exterior 20 are interconnected through a single line 18. The single line 18 prevents outsiders from accessing the network except through the firewall 16. The firewall receives all data from the network exterior before it is sent to the network users. The data may be e-mail, encrypted data, internet queries, or any other type of network traffic.
The firewall sorts and analyzes the data and determines whether it should have access to the network. If the data is authorized, the firewall forwards the data on to its destination. If the data is unauthorized, the firewall denies access to the network.
Data is normally transmitted in multiple bundles of information called “data packets” or “packets”. A message, query, etc. from the outside network is broken down into these packets in order to provide more efficient transmission of the data. Once all packets of data arrive at the destination, the packets are re-assembled. However, the packets contain more information than just the transmitted data. FIG. 2 shows a diagram of a prior art data packet 30. The packet 30 includes three segments: a header 32; a body 34; and a trailer 36. The body 34 is the segment that contains the actual substance of the data.
The header 32 and the trailer 36 both contain various fields that are necessary for the administrative control of the packet 30. The header 32 segment includes: a flag 38a; an address field 40; and a control field 42. The trailer 36 segment includes: a sequence check field 44 and a flag 38b. The first flag 38a signifies the start of the packet 30. A second flag 38b signifies the end of the packet 30. The sequence check field 44 provides a check to ensure the data of the packet was properly received. The address field 40 includes the addresses of the source and the destination of the data. The control field 42 contains various information related to the administration of the packet 30 including a “time-to-live” field. The time-to-live field is an internal countdown mechanism that ensures that undeliverable or lost packets are deleted. The time-to-live field is given a certain value when the packet is first transmitted. As the packet passes through various servers, routers, switches, bridges, gateways, etc. that makes up a network, the time-to-live field is decremented once by each device it passes through. Once the time-to-live field reaches zero, the packet is deleted. This mechanism prevents a lost or undeliverable packet from circulating on the network in an endless loop.
FIG. 3 shows a flow chart 50 of a prior art network firewall protection scheme. First, a packet is received at the firewall 52 from the network exterior 20. The firewall then conducts a handshake protocol 54 after receipt of the packet. The operations of network components are governed by protocols. A protocol is simply an established set of rules or standards that allow computers to connect with one another and exchange information and data with as little error as possible. Protocols may vary widely based different types of computer operating systems and on the different types of communications that are being transmitted. A handshake protocol governs a series of signals acknowledging that the transfer of data can take place between devices (“the handshake”). During the handshake, various changes are made to the packet by the firewall. The address of the firewall is added to the address field to show that the packet has left the firewall. Also, the time-to-live field is decremented by the firewall.
After completing the handshake 54, the packet is analyzed by the firewall to determine whether or not the data is acceptable to forward on to its destination in the network 56. The firewall analyzes the data through a technique called “pattern matching” that is well known in the art. Additionally, other techniques such as “protocol analysis” could be used as well. If the packet is authorized, it is forwarded on to the network destination by the firewall 58. If the packet is unauthorized, it is denied access to the network 60 and a message such as “resource denied” or “resource restricted” is sent to the sender. The party who sent the data from the exterior network is able to monitor and detect the presence of the firewall after the handshake protocol 62 and after access has been denied 62 due to the changes in the packet at the handshake 62. Once a hacker is able to detect the presence of a firewall, attempts can be made penetrate it and gain access to the network. If a hacker gains knowledge of the presence of a firewall, probes can be made against it. Ultimately, the firewall may be breached or bypassed and unauthorized access to the network can be gained by the hacker.
In addition to the contents of the data packet described in FIG. 2, a data packet will also contain an “ethernet frame field”. The ethernet frame field is used by an ethernet card which is a piece of hardware within the firewall that manages access to the network. FIG. 4 shows a schematic 70 of a prior art data packet with an ethernet frame field. The contents of the data packet are similar to what was previously described in FIG. 2. The data packet includes three segments: a header 72; a body 74; and a trailer 76. The header 72 segment includes: a flag 78a; an address field 80; and a control field 82. The trailer 76 segment includes: a sequence check field 84 and a flag 78b. Additionally, two segments of the ethernet frame field 86a and 86b are included immediately in front of the first flag 78a and immediately following the second flag 78b respectively.
The ethernet frame field 86a and 86b is simply a protocol for processing the packet. Like the data packet, its contents are changed when it leaves the firewall. Specifically, the firewall adds its specific media access controller (“MAC”) address to frame field 86a and 86b. The MAC address is a layer of the ISO/OSI (International Organization for Standardization/Open Systems Interconnection) reference model. The ISO/OSI model separates computer to computer communication into seven protocol layers. The ethernet card and the MAC are parts of one of the lower layers of this model and they manage access to the physical network.
One prior art solution is to make a firewall more difficult to detect (a “stealth firewall”). FIG. 5 shows a flow chart 90 of a prior art network stealth firewall protection scheme. As shown previously in FIG. 3, a packet is first received at the firewall 92 from the network exterior 20. However, a stealth firewall conducts a different type of handshake protocol 94. A stealth firewall does not decrement the time-to-live field of the packet. Consequently, anyone monitoring the status of the packets in the network exterior 20 will not be able to see the stealth firewall due to a change in the value of the time-to-live field. After the stealth handshake 94, the stealth firewall analyzes the packet 96 in a similar manner as previously described for reference number 56 in prior art FIG. 3. If the packet is authorized, it is forwarded on to the network destination by the firewall 98. If the packet is not authorized, it is denied access to the network 100. However, the firewall does not respond to the sender with any type of message indicating a denial of access. Instead, the stealth firewall simply drops the packet 102. The sender is prevented from detecting the stealth firewall by finding any indication of its presence in a decremented time-to-live field or a denial of access message.
However, a stealth firewall may still be detected by the changes it makes to the packet during its handshake protocol 94. Specifically, a stealth firewall leaves its own MAC address in the packet as it conducts the stealth handshake protocol 94. Once the presence of the stealth firewall is detected through the MAC address, a hacker can then begin to probe the firewall and attempt to find a way around it to gain access to the network. In order to prevent attacks by hackers on a firewall, it is necessary to make the firewall undetectable to parties outside the network.