1. Field of the Invention
The present invention generally relates to computer network firewall systems. More specifically, the present invention relates to treatment of non-RFC-compliant traffic by computer network firewall systems.
2. Description of the Related Art
Typically, firewall systems accept incoming data, filter through the incoming data to identify and block potentially dangerous incoming data, and allow transmission of only data that is safe to transmit. Some firewalls also include policies that automatically perform antivirus scans of data that the firewall has deemed to be otherwise allowable, which may further be used to block dangerous data.
In order to identify potentially dangerous incoming data, some firewalls determine the protocol of the incoming data (i.e., using a “protocol decoder” module). Some firewalls then apply antivirus policies based on the protocol of the incoming data (e.g., for incoming data using the Hypertext Transfer Protocol, allow transmission of the data if cleared by an antivirus scan). Some firewalls also apply traffic blocking policies based on the protocol of the incoming data (e.g., block all incoming data using a Telnet Protocol).
Incoming data may use one of a variety of protocols. In some cases these protocols are standard protocols, such as protocols complying with Request for Comments (RFC) standards; in other cases, these do not match a standard protocol. Standard protocols that comply with Request for Comments (RFC) standards may include Internet Protocol (IP), Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Telnet Protocol (TELNET), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Network News Transfer Protocol (NNTP), Hypertext Transfer Protocol (HTTP), Remote Framebuffer Protocol (RFP), Internet Key Exchange Protocol (IKE), and variants of these protocols implementing Transport Layer Security (TLS) or Secure Socket Layer (SSL). Non-standard protocols are sometimes benign variants of these RFC-compliant standard protocols, or are sometimes dangerous protocols designed to circumvent firewall policies or protections in order to damage a firewall, a network, or a receiving system.
Typically, when a firewall receives incoming data using a protocol that is not a standard (i.e., RFC-compliant) protocol, the firewall either blocks the incoming data or allows the incoming data. Blocking the incoming data because it uses a non-standard (i.e., non-RFC-compliant) protocol allows for higher security, but in practice can often block commonly-used communications and break functionality of commonly-used software applications at a recipient computer. Allowing the incoming data—even though a non-standard (i.e., non-RFC-compliant) protocol is used—allows commonly used communications through and preserves functionality of software applications at the recipient computer, but can also allow potentially dangerous incoming data to get through the firewall. In some cases, potentially dangerous incoming data may be able to circumvent additional security measures such as a firewall's antivirus policies. For example, an incoming data packet using a protocol that is a slight variant of the HTTP protocol might be allowed by a firewall without an antivirus scan, despite an antivirus policy that dictates that all incoming data using an HTTP protocol should only be allowed after an antivirus scan is cleared.
As a result, typical firewalls are either insecure due to allowance of data using non-standard protocols (and potential circumvention of firewall security policies), or are too restrictive in blocking all data using non-standard protocols (which also blocks commonly-used communications and thus breaks functionality of commonly-used software applications at a recipient computer).
There is, therefore, a need in the art for improved firewall systems.