System and method for behavior-based firewall modeling

Firewalls are potentially complicated structures that are generally maintained manually by a skilled professional. Firewall owners must therefore limit themselves to simple and inflexible features provided by typical network applications/devices, or they must invest in professionals who are skilled enough to construct and maintain firewalls to their specifications. In other words, the skilled firewall professional provides the intelligence, decision-making and flexibility that is lacking in static firewall technology.

Previous firewall implementations are typically limited in two ways: (1) they are embedded in an inflexible hardware platform with no ability to expand and/or (2) they offer only a very simple set of user-visible features both because they have no expandability and because they lack the conceptual model to express more advanced features in a way that is convenient for customers to use. These solutions are inadequate because they limit the power of the features available to customers.

While statically configured firewalls serve a purpose for protecting static network and computing assets, the ability to dynamically reconfigure firewalls in a changing network environment represents a significant evolutionary step in network firewall technology. Dynamic firewalls can monitor transient network client connections and adjust themselves to optimally serve and protect a dynamically changing network client population on both "sides" of a firewall.

SUMMARY OF THE INVENTION

The communication of data over networks has become an important, if not essential, way for many organizations and individuals to communicate. The Internet is a global network connecting millions of computers using a client-server architecture in which any computer connected to the Internet can potentially receive data from and send data to any other computer connected to the Internet. The Internet provides a variety of methods in which to communicate data, one of the most ubiquitous of which is the World Wide Web. Other methods for communicating data over the Internet include e-mail, Usenet newsgroups, telnet and FTP.

Users typically access the Internet either through a computer connected to an Internet Service Provider ("ISP") or computer connected to a local area network ("LAN") provided by an organization, which is in turn connected to an ISP. The network service provider provides a point of presence to interface with the Internet backbone. Routers and switches in the backbone direct data traffic between the various ISPs.

As the number of networked devices has increased, so too has the amount and nature of network traffic. One unfortunate side effect is the evolution of destructive or unauthorized access to the data or operations of networked devices. As a result, technological advances have produced a general class of network service known as a "firewall", which can block or limit access to computers, networks and services "inside" the firewall, from access by any network devices "outside" the firewall. Representation of "inside" and "outside" a firewall is analogous to physical security and protection, where something "inside" is protected from something "outside". Hence, firewall technology and services normally have one network interface connected to the general internet or an unprotected segment of any network and the protected computer and network assets are located behind another network interface controlled by the firewall that is a different, protected network segment.

Typically, network firewalls are configured in a static manner, wherein the firewall's configuration is established and changes infrequently.

30 Embodiments of the current invention expose a conceptual model of firewall structure that makes it far easier to construct an automated system to bridge the gap between the desires of users and the technical implementation of those desires. One embodiment of the current invention provides a new

35 level of flexibility including, but not limited to, dynamically adding new network interface abstractions or groupings of interface abstractions and tailoring the behavior of those abstractions to the network client devices' specific needs. The embodiment enables the firewall owner to generally describe

40 how the firewall should behave, and the invention can automatically produce the requisite, specific firewall configuration, without detailed manipulation by a human operator.

In one embodiment, this invention models sources and destinations of network traffic (e.g., client, Virtual Private

45 Network, and Wide Area Network-side devices) as "nodes" that exhibit particular sets of behaviors. Network interface devices (including virtual devices) can then be associated with one of the nodes and assigned the same behaviors/rules as all other devices in that particular node. In this way, the data

50 flows between devices can be monitored and controlled according to the behaviors and rules of each device.

Another embodiment of this invention extends the aforementioned behavior description and configuration to modeling the connections between nodes and not just the devices

55 (virtual or physical) of a particular node. That is to say, not only do the devices belonging to a node exhibit particular behaviors, but the connections between each node also exhibit particular behaviors.

Another embodiment of the current invention defines a

60 conceptual framework of the firewall and elucidates the flow of traffic through the gateway and provides a level of abstraction that can be understood and manipulated by human operators to tailor the system's behaviors to their needs.

Another embodiment of the current invention enables the

65 firewall to react dynamically to important changes such as, but not limited to, the addition or removal of physical or virtual network interfaces. This can be especially important 3

for certain applications because the invention permits the deployment of unsophisticated, general implementation technologies (i.e., off-the-shelf hardware) and does not require a custom hardware platform.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete understanding of the present invention and the advantages thereof may be acquired by referring to the following description, taken in conjunction with the accompanying drawings in which like reference indicates like features and wherein:

FIG. 1 illustrates a set of nodes for a firewall model;

FIG. 2 illustrates a set of firewall rules; and

FIG. 3 illustrates aspects of behaviors applied to packet traversal through the firewall model.

DETAILED DESCRIPTION

The following applications are hereby fully incorporated by reference herein in their entirety: U.S. application Ser. No. 10/683,317, filed Oct. 10, 2003 entitled "SYSTEM AND METHOD FOR PROVIDING ACCESS CONTROL," by Richard MacKinnon, Kelly Looney, and Eric White; U.S. Provisional Application No. 60/551,698, filed Mar. 10, 2004 entitled "SYSTEM AND METHOD FOR BEHAVIORBASED FIREWALL MODELING," by Patrick Turley; U.S. Provisional Application No. 60/551,754, filed Mar. 10, 2004 entitled "SYSTEM AND METHOD FOR COMPREHENSIVE CODE GENERATION FOR SYSTEM MANAGEMENT," by Keith Johnston which converted into U.S. application Ser. No. 11/078,223, filed Mar. 10, 2005 entitled "SYSTEM AND METHOD FOR COMPREHENSIVE CODE GENERATION FOR SYSTEM MANAGEMENT," by Keith Johnston; U.S. Provisional Application No. 60/551, 703, filed Mar. 10, 2004 entitled "SYSTEM AND METHOD FOR PROVIDING A CENTRALIZED DESCRIPTION/ CONFIGURATION OF CLIENT DEVICES ON A NETWORK ACCESS GATEWAY," by Patrick Turley and Keith Johnston; U.S. Provisional Application No. 60/551,702, filed Mar. 10, 2004 entitled "SYSTEM AND METHOD FOR ACCESS SCOPE CONTROL ("WALLED GARDENS") FOR CLIENTS OFANETWORKACCESS GATEWAY,"by Patrick Turley, Keith Johnston, and Steven D. Tonnesen which converted into U.S. application Ser. No. 11/076,591, filed Mar. 10,2005 entitled "METHOD AND SYSTEM FOR CONTROLLING NETWORK ACCESS," by Patrick Turley, Keith Johnston, and Steven D. Tonnesen; U.S. Provisional Application No. 60/551,699, filed Mar. 10, 2004 entitled "SYSTEM AND METHOD FOR DYNAMIC BANDWIDTH CONTROL," by Patrick Turley, et al.; U.S. Provisional Application No. 60/551,697, filed Mar. 10, 2004 entitled "SYSTEM AND METHOD FOR DETECTION OF ABERRANT NETWORK BEHAVIOR BY CLIENTS OF A NETWORK ACCESS GATEWAY," by Steven D. Tonnesen which converted into U.S. application Ser. No. 11/076,652, filed Mar. 10,2005 entitled "SYSTEM AND METHOD FOR DETECTION OF ABERRANT NETWORK BEHAVIOR BY CLIENTS OF A NETWORK ACCESS GATEWAY," by Steven D. Tonnesen; U.S. Provisional Application No. 60/551,705, filed Mar. 10, 2004 entitled "SYSTEM AND METHOD FOR DOUBLE-CAPTURE/DOUBLE-REDIRECT TO A DIFFERENT LOCATION," by Keith Johnston, et al. which converted into U.S. application Ser. No. 11/076, 646, filed Mar. 10, 2005 entitled "SYSTEM AND METHOD FOR DOUBLE-CAPTURE/DOUBLE-REDIRECT TO A DIFFERENT LOCATION," by Keith Johnston, et al.; U.S.

4

Provisional Application No. 60/551,704, filed Mar. 10, 2004 entitled "SYSTEM AND METHOD FOR NETWORK MANAGEMENT XML ARCHITECTURAL ABSTRACTION," by Keith Johnston and Mario Garcia which converted

5 into U.S. application Ser. No. 11/076,672, filed Mar. 10,2005 entitled "SYSTEM AND METHOD FOR NETWORK MANAGEMENT XML ARCHITECTURAL ABSTRACTION," by Keith Johnston and Mario Garcia; and U.S. Provisional Application No. 60/551,703, filed Mar. 10, 2005

10 entitled "SYSTEM AND METHOD FOR PROVIDING A CENTRALIZED DESCRIPTION/CONFIGURATION OF CLIENT DEVICES ON A NETWORK ACCESS GATEWORK," by Patrick Turley, et al.

The present invention described herein considers the fire

15 wall as implemented within a device, service or server at the nexus of two network segments but, at a conceptual level, it appears more like any other network traffic origination or destination device; i.e., while the functional aspects of a firewall may differentiate itself from other network infrastructure

20 devices or services, at a conceptual level it inspects, marks, prioritizes and routes traffic similar to other network packet handling service.

Embodiments of this invention seek to abstract the diverse set of network and firewall operations into a generalization of

25 activities amongst "nodes" in the firewall model. With a basic conceptual model, all firewall behavior can be characterized as high-level operations on network traffic flowing through the firewall.

The firewall is the nexus in a fully-interconnected graph 30 (FIG. 1) with four nodes. Each node in FIG. 1 is simultaneously a source of and destination for network packets. Packets travel between nodes over intra-firewall connections within the firewall model. Implementations of intra-firewall connections can be software, in-memory implementations or 35 can be hardware, signaling implementations. A non-limiting example of a software, in-memory implementation can be realized through a computer program product comprising a computer readable storage medium storing computer program code executable b a computer. As one of ordinary skill 40 in the art can appreciate a computer memory is a non-limiting example of a computer readable storage medium.

There are three essential stages to a packet's journey through the firewall model:

Arriving, node-specific behaviors. Where network traffic is 45 inspected upon arrival at a node in the firewall model and the model acts upon this traffic, based on its configuration at the time of the traffic arrival and the processing node's capabilities. Connection-specific behaviors. Some behaviors are con50 textually important when considered as part of a connection between two nodes in the firewall model. When network traffic flows over the connection it can be inspected and handled at one or both of the node endpoints of the connection. 55 Departing, node-specific behaviors. Where network traffic is inspected prior to departure from a node and the firewall acts upon this traffic, based on its configuration at the time of the traffic departure and the processing node's capabilities. 60 Embodiments of this invention employ existing operating system mechanisms to implement the concepts. For example. The Linux operating system has a subsystem known as "iptables" (for Internet Protocol Tables) that offers a "rule" syntax for representing the logic of packet handling through 65 the Linux system.

As illustrated in FIG. 2, and described below, The firewall employs dynamic chains of rules (serialized sequences of one