Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2002-03-26
2004-03-30
Hua, Ly V. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C709S235000
Reexamination Certificate
active
06715084
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates in general to intrusion detection systems for computer systems and, more particularly, to network-based intrusion detection systems.
BACKGROUND OF THE INVENTION
Numerous present-day computer installations, be they provided with centralized processor units or be they organized in networks interconnecting geographically distributed processor units, have various access points for serving their users. The number of such points and the ease with which they are often accessible have the drawback of facilitating attempts at intrusion by people who are not authorized users and attempts by users of any kind, whether acting alone or in concert, to perform computer operations which such users should not be capable of performing legitimately. These unauthorized users are typically called “hackers” or “crackers”.
Moreover, the open network architecture of the Internet permits a user on a network to have access to information on many different computers, and it also provides access to messages generated by a user's computer and to the resources of the user's computer. Hackers present a significant security risk to any computer coupled to a network where a user for one computer may attempt to gain unauthorized access to resources on another computer of the network.
In an effort to control access to a network and, hence, limit unauthorized access to computer resources available on that network, a number of computer communication security devices and techniques have been developed. One type of device which is used to control the transfer of data is typically called a “firewall”. Firewalls are routers which use a set of rules to determine whether a data message should be permitted to pass into or out of a network before determining an efficient route for the message if the rules permit further transmission of the message.
One fundamental technique used by firewalls to protect network elements is known as “packet filtering”. A packet filter may investigate address information contained in a data packet to determine whether the source machine, from which the packet originated, is on a list of allowed addresses. If the address is on the list, the packet is allowed to pass. Otherwise the packet is dropped. Packet filtering using lists of allowed protocols (e.g., file transfer FTP, web access HTTP, email POP) is also sometimes done, either alone or in combination with the more stringent address-based packet filtering method.
One problem with address-based packet filtering is that hackers have developed a technique known as “address spoofing” or “P spoofing” wherein address information within a fabricated packet is manipulated to bypass a packet filter (e.g., by placing the address information of a machine which is on the allowed list within the packet, even though the true source address which would normally be placed within the packet is different and disallowed). Address spoofing may also be used to make it appear that the packet originates in the network that the firewall protects, and thus is on a default allowed list.
An example of a conventional firewall arrangement is depicted in
FIG. 1. A
host computer
100
communicates with an institutional computer system
106
over a public network
102
through a router
104
. A router is a network element that directs a packet in accordance with address information contained in the packet. The institutional computer system
106
supports a variety of applications including a Web server
108
, and an e-mail system
114
. A firewall system
110
with ports
111
,
112
,
113
is placed between the router
104
and the institutional computer
106
. Port
112
connects an internal network
116
to the firewall
110
, while ports
111
and
113
connect the public network
102
and the institutional computer
106
, respectively. The internal network
116
may support communication between internal terminal(s)
118
and a database
120
, possibly containing sensitive information. Such a firewall system
110
, however, although intended to protect resources
118
and
120
connected to the internal network
116
, is subject to attack in many ways.
A hacker operating the host computer
100
can utilize publicly accessible applications on the institutional computer system
106
, such as the Web server
108
or the e-mail system
114
, to attack the firewall system
110
or connect to the internal network port
112
. The Web server
108
or the e-mail system
114
may have authority to attach to and communicate through the firewall system
110
. The hacker might be able to exploit this by routing packets through, or mimicking these network elements, in order to attach to, attack, or completely bypass, the firewall system
110
.
Most conventional firewalls, unless configured otherwise, are transparent to packets originating from behind the firewall. Hence, the hacker may insert a source address of a valid network element residing behind the firewall
110
, such as the terminal
118
, to a fictitious packet. Such a packet may then be able to pass through the firewall system
110
. The hacker may even set the packet to be configured to contain a message requesting the establishment of a session with the terminal
118
. The terminal
118
typically performs no checking itself, instead relying on the firewall, and assumes that such a session request is legitimate. The terminal
118
acknowledges the request and sends a confirmation message back through the firewall system
110
. The ensuing session may appear to be valid to the firewall system
110
.
The hacker can also initiate multiple attempts to attach to the port
111
. Technically, a connection to the port is formed before the firewall
110
is able to filter the authority of the request. If enough connection requests hit the port
112
, it may be rendered unavailable for a period of time, denying service to both incoming requests from the public network, and more importantly, denying access to the internal network
116
for outgoing messages. It is readily apparent that conventional firewall systems, such as the one depicted in
FIG. 1
, are unacceptably vulnerable in many ways.
Hackers have also developed other ways which may be helpful in bypassing the screening function of a router. For example, one computer, such as a server on the network, may be permitted to receive sync messages from a computer outside the network. In an effort to get a message to another computer on a network, a hacker may attempt to use source routing to send a message from the server to another computer on the network. Source routing is a technique by which a source computer may specify an intermediate computer on the path for a message to be transmitted to a destination computer. In this way, the hacker may be able to establish a communication connection with a server through a router and thereafter send a message to another computer on the network by specifying the server as an intermediate computer for the message to the other computer.
In an effort to prevent source routing techniques from being used by hackers, some routers (including some firewalls) may be configured to intercept and discard all source routed messages to a network. For a router configured with source routing blocking, the router may have a set of rules for inbound messages, a set of rules for outbound messages and a set of rules for source routing messages. When a message which originated from outside the network is received by such a router, the router determines if it is a source routed message. If it is, the router blocks the message if the source routing blocking rule is activated. If blocking is not activated, the router allows the source routed message through to the network. If the message is not a source routed message, the router evaluates the parameters of the message in view of the rules for receiving messages from sources external to the network. However, a router vulnerability exists where the rules used by the router are only compared to messages that are not source routed and the s
Aaron Jeffrey A.
Anschutz Thomas
BellSouth Intellectual Property Corporation
Hua Ly V.
Woodcock & Washburn LLP
LandOfFree
Firewall system and method via feedback from broad-scope... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Firewall system and method via feedback from broad-scope..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Firewall system and method via feedback from broad-scope... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3218754