System and method for increasing the resiliency of firewall...

Electrical computers and digital processing systems: support – Multiple computer communication using cryptography

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C713S153000, C713S152000, C713S152000

Reexamination Certificate

active

06684329

ABSTRACT:

BACKGROUND
1. Field of the Invention
The present invention relates generally to network security, and more particularly, to systems and methods for increasing the security of firewall systems.
2. Discussion of the Related Art
Firewalls are an essential ingredient in a corporate entity's network security plan. Firewalls represent a security enforcement point that separates a trusted network from an untrusted network.
FIG. 1
illustrates a generic example of a network security plan that incorporates a firewall system. In this generic example, firewall system
120
is operative to screen all connections between private network
110
and untrusted system
140
. These connections are facilitated by Internet network
130
. In the screening process, firewall system
120
determines which traffic should be allowed and which traffic should be disallowed based on a predetermined security policy.
One type of firewall system is an application-level gateway or proxy server, which acts as a relay of application-level traffic. Proxy servers tend to be more secure than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the transmission control protocol (TCP) and Internet protocol (IP) level, the proxy server need only scrutinize a few allowable applications (e.g., Telnet, file transfer protocol (FTP), simple mail transfer protocol (SMTP), hypertext transfer protocol (HTTP)). Generally, if the proxy server does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall. Further, the proxy server can be configured to support only specific features of an application that the network administrator considers acceptable while denying all other features.
Application-level firewall proxies are fragile, and are growing ever more complex. Customers demand increasing functionality, including the ability to perform tasks such as virus scanning, limits on addresses visited (e.g., to prevent access to pornographic web sites), and detailed scanning of protocols to prevent outsiders from exploiting vulnerabilities in host systems. As the proxies become increasingly complex, the likelihood of flaws that allow security breaches increase. For example, it is likely that there are opportunities in most firewall proxies for buffer overrun attacks.
As the number of protocols increases, proxies are increasingly written by people without sufficient training in writing safe software. End users want to write their own proxies, since they can do it more rapidly than waiting for a firewall vendor to include a suitable proxy in the product. While both vendors and end users make reasonable efforts to ensure that proxies are not being written by hostile developers (who might insert backdoors or other malicious software), it is likely that such capabilities have been inserted in at least some proxies. Finally, there is significant concern among individuals in government and industry that backdoors are being inserted as a byproduct of Y2K remediation.
Since a single faulty proxy can endanger an entire firewall (and the network behind it), it is important to constrain the damage done by an errant proxy. A conventional approach to such threats would be to use good software engineering techniques (including code inspection), personnel security (such as clearances), and improved testing. However, these approaches are not realistic in today's “Internet time” commercial products environment. Accordingly, what is needed is a mechanism for efficiently increasing the integrity of a firewall proxy.
SUMMARY OF THE INVENTION
The present invention meets the aforementioned needs by minimizing the likelihood of flaws in a firewall proxy. This minimization is achieved through the use of software wrappers that introduce fine-grained controls on the operation of existing proxy applications. This feature enables a network security administrator to prevent bugs (or malicious software) in the proxy from subverting the intent of the firewall.
It is a further feature of the present invention that a firewall can be totally wrapped. A totally wrapped system includes a wrapper for the proxies plus a separate wrapper for everything else on the firewall system that can potentially interfere with the wrappers and the proxies. The result is a system where an attacker who breaks through a proxy may run amok within the system, but will be unable to interfere with the wrappers or the proxies.
In a still further feature of the present invention, the software wrappers of the present invention can be integrated with an intrusion detection system. More particularly, the fine-grained controls of the software wrapper enables it to be uniquely positioned to generate alerts based on an indication that a flaw exists in the proxy and that the proxy is misbehaving.


REFERENCES:
patent: 5826014 (1998-10-01), Coley et al.
patent: 5898830 (1999-04-01), Wesinger, Jr. et al.
patent: 6052788 (2000-04-01), Wesinger, Jr. et al.
patent: 6061798 (2000-05-01), Coley et al.
J. Epstein, “Architecture and Concepts of the ARGuE Guard,” Proceedings of the 15thAnnual Computer Security Applications Conference, Dec. 1999.
“TIS Internet Firewall Toolkit Overview”—Advanced Research & Engineering.
Fraser et al., “Hardening COTS Software with Generic Software Wrappers,” IEEE Symposium on Security and Privacy, May 1999.
Fiorino et al., “Lessons Learned During the Life Cycle of an MLS Guard Deployed at Multiple Sites,” Eleventh Annual Computer Security Applications Conference, Dec. 1995.
“Adaptive Proxy Firewalls—The Next Generation Firewall Architecture” —Network Associates White Paper.
“The Active Firewall—The End of the Passive Firewall Era” —Network Associates White Paper.
Ghormley et al., “SLIC: An Extensibility System for Commodity Operating Systems,” USENIX Annual Technical Conference, Jun. 1998.
Mitchem et al., “Using Kernel Hypervisors to Secure Applications,” IEEE Computer Security Applications Conference, Dec. 1997.
Goldberg et al., “A Secure Environment for Untrusted Helper Applications—Confining the Wily Hacker,” 6thUSENIX Security Symposium, 1997.
Amin Vahdat, “Transparent Result Caching,” USENIX Annual Technical Conference, Jun. 1998.
Michael B. Jones, “Interposition Agents: Transparently Interposing User Code at the System Interface,” Proceedings of the 14th ACM Symposium on Operating Systems Principles, Dec. 1993.
Alexandrov et al., “Extending the Operating System at the User Level: the UFO Global File System,” USENIX Annual Technical Conference, Jan. 1997.
Michael B. Jones, “Transparently Interposing User Code at the System Interface,” Ph.D. thesis, Carnegie Mellon University, School of Computer Science, Sep. 1992 (Technical Report CMU-CS-92-170).
Kiernan et al., “Preliminary Wrapper Support Interface Specification,” TIS Labs Report #0743, Jun. 1998.
Kiernan et al., “Preliminary Wrappers Analysis,” TIS Labs Report #0744D, Jul. 1998.
Oostendorp et al., “Preliminary Wrapper Definition Language Specification,” TIS Report #0684, Aug. 1997.

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

System and method for increasing the resiliency of firewall... does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with System and method for increasing the resiliency of firewall..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for increasing the resiliency of firewall... will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-3265767

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.