WO2001060019A1 - Computer security system - Google Patents

Computer security system Download PDF

Info

Publication number
WO2001060019A1
WO2001060019A1 PCT/GB2001/000154 GB0100154W WO0160019A1 WO 2001060019 A1 WO2001060019 A1 WO 2001060019A1 GB 0100154 W GB0100154 W GB 0100154W WO 0160019 A1 WO0160019 A1 WO 0160019A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer
communications
proxy
link
communications link
Prior art date
Application number
PCT/GB2001/000154
Other languages
French (fr)
Inventor
Simon Robert Wiseman
Original Assignee
Qinetiq Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qinetiq Limited filed Critical Qinetiq Limited
Priority to AU2001225366A priority Critical patent/AU2001225366A1/en
Publication of WO2001060019A1 publication Critical patent/WO2001060019A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Definitions

  • This invention relates to a computer security system, to a computer program for implementing it and to a method for implementing computer secu ⁇ ty
  • Computer secu ⁇ ty is particularly important for computer networks allowing communication between software applications running on different computers which exchange data Applications may communicate by requests to an operating system's network d ⁇ er software, which handles requests to send and receive data, by mapping them into commands to hardware network devices thus providing applications with a network service
  • Typical network d ⁇ ver software is designed for ease of commumcation between applications This conflicts with computer secu ⁇ ty requirements, for which it is necessary to control access so that unconstrained communication to applications is impossible or at least very unlikely
  • routers also b ⁇ dges or gateways
  • routers also b ⁇ dges or gateways
  • the effect of this is that software applications m communicating computers have a rest ⁇ cted interface
  • Routing functionality is found m computers such as those running Windows NT and Unix operating systems m addition to special purpose routers
  • the text book "Building Internet Firewalls" by D B Chapman and E D Zwicky discloses interposing an application proxy between applications running on computers in different networks to control communication between them
  • the computer which connects the networks also runs the application proxy, and is referred to as a proxy firewall or bastion host firewall.
  • Applications on linked computers communicate via the application proxy.
  • the proxy mimics software application behaviour, so communicating applications act as if communication were direct, but in fact it is indirect and relayed through the proxy.
  • the proxy can be configured to check communication between applications, and impose restrictions. Unlike router checks, these checks can be made on communications themselves, rather than restricting the interface between applications and the network service.
  • standard computers providing proxy firewalls are designed so that network drivers can connect networks together seamlessly, making it possible to bypass the application proxy.
  • the proxy may be bypassed if other application software runs on the firewall, because network drivers are designed to be shared by multiple applications.
  • a proxy firewall For a proxy firewall to meet security requirements, the driver's standard routing functionality must be removed or disabled so that it cannot be restored while the firewall is operating. This is difficult to achieve using a standard computer and operating system for which source code is not generally available. However, there are examples of it having been done: eg Network Associates Inc. California, USA have a firewall product referred to as Gauntlet ® Firewall 5.0 for Windows. A proxy firewall can also built using non-standard operating systems. The British Defense Evaluation and Research Agency has a firewall toolkit referred to as "SWIPSY " which disables the routing function using labelling functionality from an operating system supplied by
  • a disc is connected via a switch to one computer or another in different networks.
  • Application proxies in both computers communicate with applications on one respective side, and with the other proxy on the other, by transferring data through the shared disc. They control the switch jointly with a handshaking arrangement, and in effect control alternates between them.
  • This approach however has the disadvantage that appropriate switch hardware is not a standard commodity component.
  • a proxy firewall may be referred to as a "dual-homed" firewall if (as is common) it involves a single computer with two network interfaces and respective network communications links with two different networks simultaneously: this is disclosed for example in published GB Pat. Appln No. 2,317,539A (inventors E B Stockwell and A E Klietz) and by D B Chapman and E D Zwicky in Firewall Design, January 1996, Sunworld Online.
  • the drawback of this approach is that it is difficult to ensure that the computer's operating system software does not bypass its firewall application software by seamlessly routing traffic between the two interfaces - this is standard functionality in common operating systems such as Windows NT.
  • An operating system may be modified to include special functionality to avoid the firewall being bypassed, for example as described by GB Pat.
  • the present invention provides a computer security system comprising a proxy firewall computer incorporating software implementing an application proxy for controlling communication between first and second communications links, characterised in that the second communications link is a non-networked communications link actuated by means of a device driver and the computer is arranged to provide for communications passing via the second communications link to be subject to the restriction that they are obtained from or through the application proxy only.
  • non-networked communications link means a communications link which the proxy firewall computer's operating system does not treat as a network communications link and will not automatically link it to a network link.
  • Non-networked communications links are currently implemented by a combination of hardware and software, although this may be done in software only in future.
  • the invention provides the advantage that communication does not bypass the application proxy because of the use of a non-networked communications link and the restriction associated with access to that link: in consequence the application proxy can monitor traffic passing between the first and second communications links to apply business-specific checks, and the security controls found in mainstream operating systems can be applied to ensure these checks cannot be bypassed.
  • the invention it is possible to implement the invention using standard hardware and, largely at least, standard software.
  • the invention deals with a long-felt want by solving a problem for which there have been many failed or inadequate solutions as indicated above and as will be described later in more detail.
  • the restriction may be at least partly implemented by the application proxy receiving exclusive access to the communications link from the device driver or by the application proxy transforming conventional network communications to a format transmissible by the communications link.
  • the communications link may transmit data receivable by any other computer or network connected to it without regard to a data address, and the communications link may be a serial data link such as an RS232, IEEE488 or IEEE1394 data link.
  • the proxy firewall computer may be one of a plurality of like proxy firewall computers each providing security for a respective associated computer or computer network, the communications link being common to each firewall computer in normal operation the proxy firewall computers being connected simultaneously to it.
  • each proxy firewall computer may provide security for an associated computer or computer network connected thereto by a network link suitable for conventional network communications.
  • the present invention provides computer software for a proxy firewall computer and implementing an application proxy for controlling communication between first and second communications links, characterised in that the second communications link is a non-networked communications link, the software is arranged to implement a device driver for the second communications link and to provide for communications passing via the second communications link to be subject to the restriction that they are obtained from or through the application proxy only.
  • the restriction may be at least partly implemented by the application proxy receiving exclusive access to the communications link from the device driver or by the software being configured to provide or accept a data format appropriate for the communications link but unsuitable for transmitting conventional network communications.
  • the data format may unaddressed and serial.
  • the software of the invention may be configured to implement a proxy firewall providing security for an associated computer or computer network communicating therewith by a network link suitable for conventional network communications.
  • the present invention provides a method of providing security for a computer system comprising a proxy firewall computer incorporating software implementing an application proxy and a device driver for controlling communication between first and second communications links, characterised in that the second communications link is a non-networked communications link actuated by means of a device driver and the method includes providing for communications passing via the second communications link to be subject to the restriction that they are obtained from or through the application proxy only.
  • Communications may be restricted by the application proxy receiving exclusive access to the communications link from the device driver or by the application proxy transforming conventional network communications to a data format transmissible by the communications link.
  • the data format may not require a data address indicating a recipient, and may be a serial data format.
  • FIGS 1 to 9 are schematic block diagrams of prior art computer systems
  • Figure 10 is a schematic block diagram of a computer security system of the invention.
  • Figure 11 illustrates communication between application software and application proxies in the system of Figure 1 ;
  • Figures 12 and 13 indicate software items suitable for use in the system of Figure 1;
  • Figure 14 illustrates five networking arrangements implementing the invention.
  • FIG. 1 a simplified structure of a prior art computer indicated generally by 10 is shown as a combination of application software 12, system call interface 14, device driver software 15 within an operating system (not shown), a bus 16 for a central processing unit (CPU) and peripherals, electronic device hardware 18 and a connection 20 to external facilities (not shown).
  • application software is used to indicate a computer program which runs on a computer to perform a task, and is distinguished from a "software tool” used to work on computer programs.
  • Application software 12 makes requests to send and receive data to the hardware device 18 by making operating system calls to driver software 15.
  • the driver software 15 services requests by controlling the hardware device 18, usually in accordance with some complex protocol. It is unusual for the application's request to be mapped in a direct manner to the way the device 18 operates.
  • the hardware device 18 receives commands and data from the driver 15, and sends status information and data back to it.
  • the device 18 may contain storage such as a disc (not shown), and as illustrated it has an external connection 20 to other devices such as a computer network (not shown). Devices of this kind usually have either a disc or a network card, but could have both.
  • FIG. 2 there is shown a more complex form of prior art computer 30 with more than one hardware device 32 and an operating system containing multiple drivers 34 in two layers indicated by suffixes a and b.
  • the drivers 34 are structured into layers: in some cases a driver 34a calls on the services of another driver 34b rather than driving a device 32 directly, and application software 38 may be connected to all drivers 34a in a layer. It is also possible to have more than one driver 34a use another driver 34b (as shown) or device (not shown).
  • computers 10a and 10b may be connected to a network indicated by a connection 40 allowing applications on different computers to communicate and exchange data.
  • the drivers 15a and 15b handle these requests to send and receive data and map them, using complex protocols, into commands to the hardware network devices 18a and 18b, between which data is passed across a network medium 40.
  • FIG. 4 there is shown a prior art network 50 arranged to provide some degree of computer security. Parts equivalent to those previously described are like-referenced with an added suffix c or d.
  • Two computers 10c and lOd are joined together to form a single logical network using a special computer 52 called a router and indicated within dotted lines.
  • the router 52 incorporates network driver software 54 and two hardware network devices 56 connected via communications links 58 and 60 to the computers 10c and lOd respectively. It does not run application software.
  • the driver software 54 in the router 52 joins the computers 10c and lOd together seamlessly, in that their operation and communication with one another is unaffected by the fact that they are not connected together directly but instead indirectly through the router's driver 54. When they communicate through the router 52, the latter appears to each of the computers 10c and lOd to be the other. As has been said, the router 52 has no application software, and so rather than passing data to such an application, the driver 54 passes data from one device 56 to the other and thereby across from one computer 10c or 1 Od to the other.
  • routers can make communication between different networks seamless, it is possible to configure them to restrict what communication can take place by imposing restrictions on kinds of communication that the router will replay.
  • the effect of this is to place constraints upon a network service available to software applications in communicating computers, instead of upon communications between applications. Constraints so applied usually do not relate directly to the nature of communications between software applications and cannot accurately reflect this. Routing functionality is found in conventional computers (e.g. those running NT and Unix operating systems) as well as special routers.
  • Two computers lOe and lOf are shown and are linked together by a special type of computer indicated within chain lines 70 and referred to as a proxy firewall (or bastion host firewall).
  • the proxy firewall 70 is equivalent to a router 52 (see Figure 4) with the addition of an application proxy 72 which controls operation of the router's network device driver 54e.
  • the proxy firewall computer 70 also runs the application proxy 72.
  • the application proxy 72 is in effect interposed between software applications running on different computers lOe and lOf in order to impose meaningful control on communication between them.
  • the network device driver 54e does not connect the communicating computers lOe and 1 Of together in a seamless way. Instead, applications on these computers communicate via the application proxy 72.
  • To a software application running on one of the computers lOe and 1 Of the application proxy 72 mimics the behaviour of an application running on the other, so these applications behave as if they were communicating directly with one another, whereas in fact communication is intended to be indirect and relayed through the application proxy 72.
  • the proxy 72 may be configured to check communication taking place between applications (as opposed to constraining a network), and impose any restrictions that might be required.
  • An application proxy 72 is nothing more than a special software application which can run on a standard computer providing the proxy firewall 70.
  • standard computers are designed so that their network drivers 54e can connect communicating computers lOe and 1 Of together in a seamless fashion. In consequence it is possible for these computers to bypass the application proxy 72 via the driver 54e as shown in Figure 6 by a dotted line 74.
  • the application proxy 72 may also be bypassed if the proxy firewall 70 runs other application software 76 via which the computers lOe and lOf may communicate as indicated by a dotted line 78. This is because a typical network driver 54e is designed to be shared by multiple applications.
  • the network driver's standard routing functionality must be removed or disabled in such a way that it cannot be restored under any circumstances while the firewall is operating. This is difficult to achieve and it is even more difficult to verify that it has been achieved, given the desire to use a standard computer and operating system software for which source code is not generally available.
  • Proxy firewalls have been built using non-standard operating systems having labelling functionality or supporting data typing.
  • FIG 8 there is shown a further prior art approach to secure computer networking: parts equivalent to those previously described are like-referenced with an added suffix g, h or i.
  • Two computers lOg and lOh are linked together by links 58g and 60h and a third computer 70i providing another form of firewall.
  • the arrangement is equivalent Figures 5, to 7 with devices 56e and 56f replaced by the combination of a single device 56i and a switch 80, which together with a driver 54i and application proxy 72i are incorporated in a firewall computer 70i.
  • the switch 80 provides a connection from the firewall computer 70i to one of the computers lOg and lOh or the other but not to both simultaneously. It breaks the connection to one of these computers before connecting to the other, so the two computers lOg and lOh are always electrically isolated from one another.
  • a timer which acts independently of the firewall computer 70i, changes the switch connection between the two computers lOg and lOh at regular intervals.
  • Network drivers 54 are designed to overcome failures and congestion in networks, typically by buffering or storing communication requests and retrying them periodically should an error occur. It is therefore is possible for the driver 54i to accept requests from one computer, while the switch is thrown in that direction, and buffer them until the switch is thrown to the other computer. This means that a communication which the application proxy 72i would have rejected bypasses the latter and becomes routed via the driver 54i.
  • Another disadvantage of the switching technique is that the switch 80 introduces considerable latency or delay in the communication between applications, which makes it unsuitable for web browsing and other forms of interactive communication.
  • FIG. 9 there is shown a further prior art approach to secure computer networking: parts equivalent to those previously described are like-referenced with an added suffix j or k.
  • Two computers lOj and 10k are associated with respective firewall computers 70j and 70k connectable by a switch 88 to a disc memory 90.
  • the switch 80 provides a connection from the disc 90 to one of the firewall computers 70j and 70k or the other (and thence to the respective associated computer lOj or 10k), but not to both simultaneously. It breaks the connection to one firewall before connecting to the other, so only one of the two computers 1 Oj and 10k can communicate with the disc at any time.
  • Application proxies 72j and 72k in the firewalls 70j and 70k communicate with respective software applications 12j and 12k in associated computers lOj and 10k to one side and with the disc 90 on the other side. They each have different paths for communication with the disc 90 and respective associated computers lOj and 10k so that they cannot be bypassed. They communicate with one another by transferring data through the shared disc 90, ani they control the switch 88 by sending commands sent through driver software 54j/54k to device hardware 56j/56k.
  • Driver software for discs is quite different to that used to control computer network devices, it is highly unlikely that the driver software 54j/54k will use the disc to connect the two computer/firewall combinations 10j/70j and 10k/70k seamlessly: in consequence the application proxies 72j/72k are unlikely to be bypassed.
  • the problem of latency is avoidable by using a fast disc 90 and a switch 88 controlled by the application proxies 72j and 72k.
  • switch hardware is not a standard commodity component.
  • FIG. 10 there is illustrated a secure computer network 100 in accordance with the present invention: parts equivalent to those previously described are like-referenced with an added suffix m or n.
  • Two computers 10m and 1 On are associated with respective proxy firewalls 70m and 70n indicated within dotted lines (each computer 10m or lOn could be replaced by a computer network).
  • Application proxies 72m and 72n in respective firewalls 70m and 70n communicate via network media 58m and 60n with respective software applications 12m and 12n in associated computers 10m and lOn to one side in each case and with each other via a link medium 102 on the other side.
  • the network media 58m and 60n connecting the proxy firewalls 70m and 70n to respective computers or networks 10m and lOn are standard network communication devices which transmit conventional network communications.
  • the link medium 102 connecting the proxy firewalls 70m and 70n together will not transmit conventional network communications because their drivers 54m and 54n do not allow its use to be shared by two or more applications: this avoids a proxy 72m or 72n being bypassed.
  • Some link media such as IEEE488 and 1394 do implement addresses, but only to distinguish computers or devices attached to them, and not individual applications running a computer; this is for example unlike TCP/IP (the standard protocol for network communication) where an IP address identifies a computer and a "port or socket number" identifies an application with a computer.
  • TCP/IP the standard protocol for network communication
  • the link medium 102 comprises communications link devices which may be serial or parallel data links, and may operate synchronously or asynchronously, e.g. RS232, IEEE488 or IEEE1394. These links transmit data as a stream of bytes receivable by any computer connected to them provided that it is programmed appropriately to process data in this form. Unlike conventional network links, they supply data to any computer connected to them without regard to recipient address(es) which would be embedded in data passed through a network.
  • Applications software 12m and 12n communicate with one another via the series arrangement of the two application proxies 72m and 72n connected by the link medium 102.
  • each application proxy 72m or 72n has a path which is different to that for communication with the respective associated computer 10m or lOn: it therefore cannot be bypassed; each path includes a respective software driver 54m or 54n and network device 56m or 56n.
  • the invention may be used to connect individual computers as shown in Figure 10, or computer networks. It employs a separate proxy firewall 70m or 70n for each computer or network to be connected.
  • network driver software does not normally use a communications link medium 102 for networked communication, it is unlikely that the network drivers 54m and 54n will seamlessly connect the two computers 10m and lOn.
  • networked communication across the link medium 102 is possible, eg dial-up connections: this conflicts with the computer security requirement and it is therefore necessary to check the network 10m/70m/10n 70n shown in Figure 10 to ensure that it is not the case.
  • the required check involves examining the driver structure of the proxy firewalls 70m and 70n. It is necessary to establish that no driver 54m or 54n provides access both to the associated computer 10m or lOn and to the link medium 102.
  • the respective application proxy 72m or 72n is then arranged to obtain exclusive access to the driver 54m or 54n connected directly to the link medium 102: this provides confidence that the only communication taking place between the firewalls 70m and 70n through the link medium 102 passes through both application proxies 72m and 72n.
  • the applications 12m and 12n which are communicating with one another may be the same type of software at different sites, for example two video conference applications such as "NetMeeting” supplied by the Microsoft Corporation (USA), or different software - for example a web browser such as Netscape Navigator® from the Netscape Communications Corporation (USA) and a web server such as that supplied by the Apache Software Foundation (USA).
  • video conference applications such as "NetMeeting” supplied by the Microsoft Corporation (USA)
  • different software - for example a web browser such as Netscape Navigator® from the Netscape Communications Corporation (USA) and a web server such as that supplied by the Apache Software Foundation (USA).
  • These examples both involve user interaction, but it is equally possible for server applications to communicate with each other without human intervention, for example two databases exchanging update information.
  • video conferencing might use protocol H.323 and for web browsing it is likely to be protocol HTTP.
  • one software application makes a request which is passed to the other via the firewalls 70m and 70n and link medium 102, causing the other to take some action and return a response.
  • the application proxies 72m and 72n are written specifically for the relevant protocol actually used by the communicating applications 12m and 12n. They have exactly the same external interface as the applications 12m and 12n and mimic their behaviour, except that they may also make some additional security checks.
  • FIG. 11 which illustrates the nature of communication between elements of Figure 10, when one application 12m or 12n sends a request indicated by an arrow to the other, the request is passed to its associated application proxy 72m or 72n on the same side of the link medium 102.
  • the relevant application proxy 72m or 72n applies any appropriate security checks and, if the latter are satisfied, it passes the request on to the other application proxy 72n or 72m via the link medium 102. If the security checks are not satisfied, it may modify the request to meet them if that is possible and then pass on the version so modified, or reject it if such modification is not possible.
  • the other application proxy 72n or 72m On receipt of a request 112, the other application proxy 72n or 72m makes further security checks upon it and modifies it once more to meet them if necessary, and then if the request with any required modifications satisfies the checks it is passed at 114 to the application software 12n or 12m in the associated computer lOn or 10m.
  • the other application 12n or 12m On receipt of a request at 114, the other application 12n or 12m takes action as indicated in the request and constructs a reply which is sent at 116 to its associated application proxy 72n or 72m on the same side of the link medium 102.
  • This proxy 72n or 72m applies to the reply the procedure described above of security check/modify if necessary: if the procedure is satisfied, at 118 it passes the reply or a modified equivalent to the other application proxy 72m or 72n via the link medium 102.
  • the other application proxy 72m or 72n repeats the procedure of security check/modify if necessary: if the procedure is satisfied the reply as modified where necessary is passed at 120 to the application software 12m or 12n in the associated computer 10m or lOn.
  • tire application proxies 72m and 72n may be a combination of off-the-shelf and specially written (bespoke) software.
  • Proxy software for the protocol known as SMTP may be obtained from the Internet Firewall Toolkit of Trusted Information Systems Inc, USA (now Network Associates Inc. USA).
  • This software provides a receiver 140 which places in a file each incoming SMTP message and relays it to decomposing software 142 such as "MIMEsweeper" from Integralis Network Systems Inc.
  • the latter accepts compound electronic mail messages formatted in accordance with the SMTP/MIME standard and decomposes them into their constituent components (eg message body and attachments) which it passes to a virus checker available commercially from numerous vendors. It modifies the message if necessary by removing any unwanted components, places the message (including any modifications) in a file and sends it to an SMTP sender 144 for formatting into an SMTP message and onward transmission.
  • FIG. 12 The combination of items shown in Figure 12 provides an application proxy for electronic mail. It may be implemented as indicated in Figure 10 by the applications 12m and 12n being e-mail applications, one application proxy 72m containing software for an SMTP receiver 140 and a file transmitter and the other application proxy 72n containing software for a file receiver, MIMEsweeper decomposing software 142 and an SMTP sender 144.
  • the file transmitter formats messages as appropriate for the link medium 102 and the file receiver reformats them to the SMTP/MIME standard.
  • MIMEsweeper modifies a message if necessary and passes it to the SMTP sender 144 for transmission to the e-mail application software 12n. Sof ware for the file transmitter and receiver are not standard items but are straightforward to write and will not be described.
  • Part of the "One Way Link" product from the Secure Knowledge Company Ltd (UK) would be suitable to provide a file receiver and an SMTP sender 144, provided that it was modified to replace network link software by a suitable driver for the link medium 102.
  • Similar firewall arrangements may be constructed for protocols other than SMTP simply by using appropriate proxies. This protects the e-mail application 12n against incoming mail. If it is required to protect the other e-mail application 12m in the same way, both application proxies 72m and 72n are required to contain software for an SMTP receiver 140, a file transmitter, a file receiver, decomposing software 142 and an SMTP sender 144.
  • a further option is to isolate the decomposing software 142 in another computer: ie in the previous example the link medium 102 is replaced by two links connected to another computer running decomposition software.
  • the second application proxy 72n contains a file receiver and an SMTP sender 144, but no longer runs decomposition software. This is in effect two examples of the invention back to back with the added advantage that crucial checks are more isolated from unwanted intrusion.
  • Implementation of a firewall of the invention is dependent on the software and hardware combination to be employed, particularly the driver software configuration.
  • Driver software provides software applications with an interface to link medium 102.
  • the standard protocol for network communication is called TCP/IP, while the simplest form of non-networked communications link is an RS232 serial line with an interface that allows applications to send and receive bytes of data.
  • TCP/IP driver allows software applications to make connections and exchange data. The drivers are such that many applications on many computers may be exchanging data at any time. So it is important for firewall construction to take into account the crucial fact that network devices can be shared but serial devices cannot.
  • the passing of requests and replies between two software applications is often implemented using sockets which one application monitors for connection requests and to which the other connects. Once the connection is established, it is used to pass data consisting of a request or reply from one application to the other.
  • a web server monitors a socket to which a browser makes a connection and uses it to pass an HTTP request to the server. The server constructs a reply and returns it using the connection. The connection may be used for further requests, but it is closed if not needed.
  • TCP/IP drivers may be configured to forward to other computers data and connection requests directed to them. Thus a connection request that is directed at one computer may be passed to another. This feature presents a security hazard because if it is enabled on a computer that hosts an application proxy, that proxy may be bypassed.
  • FIG. 13 there is illustrated schematically the software configuration of an example of the invention employing a link medium in the form of an RS232 serial link 150.
  • An application proxy 152 running on one computer (not shown) formulates a request or reply, changes it into a byte stream and sends it to link driver software 154.
  • the link driver 154 On receipt of a send request, the link driver 154 passes the byte stream to the RS232 serial link 150, which transmits it to a second link driver 156 running on a remote computer (not shown) hosting another application proxy 158.
  • the second link driver 156 When the second link driver 156 obtains a receive request from its associated application proxy 158, it takes the byte stream from the serial link 150 and passes it to the proxy 158 which converts it back into the format of the original request or reply at 152.
  • the two application proxies 152 and 158 can only exchange requests and replies using the RS232 serial link 150.
  • the link 150 is unsuitable for connecting other software applications and is not appropriate for conventional network connections. This means that most if not all software applications capable of networking and running on the same computers as the proxies 152 and 158 will be unable to short circuit the latter and communicate directly via the link 150 because they do not generate an acceptable data format.
  • An RS232 link sends one bit at a time. Other links send more than one bit in parallel but are otherwise serial, and may also exhibit this non- networking property eg IEEE488 and IEEE 1394: as previously mentioned they use addresses to identify computers or devices but not applications within computers. It is a feature of a driver for RS232 and some other link media that it is capable of granting access to one software application to the exclusion of all others.
  • FIG. 14 there are shown schematically five different forms of computer firewall configurations of the invention SI to S5.
  • Computer networks and firewalls are indicated by N and F respectively, and network links (equivalent to 58 or 60) by NL and non-networked links by L (equivalent to 102), differentiated by a following integer in each case.
  • Configuration SI is equivalent to Figure 10, having two computer networks Nl and N2 connected to respective firewall computers FI and F2 via network links NL1 and NL2, the firewalls being connected by a non-networked link LI.
  • Configuration S2 differs from configuration SI only in that there are two connections L2a and L2b between firewall computers F3 and F4, which increases speed of communication; standard hardware devices are available which drive two links in this way.
  • Configuration S3 is equivalent to two versions of SI with one network N5 common to both.
  • Network N5 is connected to two different computer networks N6 and N7 via respective pairs of firewall computers F5a/F6 and F5b/F7.
  • Configuration S4 differs from configuration S3 only in that the two firewall computers F5a and F5b connected directly to the first network N5 are replaced by a single firewall computer F8 connected to network N8: this reduces the number of computers and therefore also costs.
  • Configuration S5 is as configuration S4 with the addition of a further non-networked link L6 between a right hand pair of firewall computers F12 and F14 enabling communication between two networks N12 and N14 without involving a network Ni l to the left. Many other configurations are possible.

Abstract

A computer security system comprises a proxy firewall computer (70m) incorporating software implementing an application proxy (72m) and a device driver (54m) for controlling communication to a non-networked connection in the form of a serial data link (102). The application proxy (72m) receives exclusive access to the link (102) from the device driver (54m) and transforms communications in conventional network format from a computer (10m) or network linked to it into a different format transmissible by the link (102). This restricts transmission through the link (102) to communications from the application proxy (72m). It avoids the application proxy (72m) being bypassed, which would degrade computer security.

Description

Computer Secuπty System
This invention relates to a computer security system, to a computer program for implementing it and to a method for implementing computer secuπty
Computer secuπty is particularly important for computer networks allowing communication between software applications running on different computers which exchange data Applications may communicate by requests to an operating system's network dπ\er software, which handles requests to send and receive data, by mapping them into commands to hardware network devices thus providing applications with a network service
Typical network dπver software is designed for ease of commumcation between applications This conflicts with computer secuπty requirements, for which it is necessary to control access so that unconstrained communication to applications is impossible or at least very unlikely
It is known to link different computer networks to form a single network using special computers called routers (also bπdges or gateways) which may restrict the kind of communication they allow to pass The effect of this is that software applications m communicating computers have a restπcted interface It has the disadvantage of restricting the network service available to an application, instead of acting upon communications themselves Thus any constraints so applied can not be particularly sensitive to the data actually communicated Routing functionality is found m computers such as those running Windows NT and Unix operating systems m addition to special purpose routers
The text book "Building Internet Firewalls" by D B Chapman and E D Zwicky discloses interposing an application proxy between applications running on computers in different networks to control communication between them The computer which connects the networks also runs the application proxy, and is referred to as a proxy firewall or bastion host firewall. Applications on linked computers communicate via the application proxy. The proxy mimics software application behaviour, so communicating applications act as if communication were direct, but in fact it is indirect and relayed through the proxy.
The proxy can be configured to check communication between applications, and impose restrictions. Unlike router checks, these checks can be made on communications themselves, rather than restricting the interface between applications and the network service. Unfortunately, standard computers providing proxy firewalls are designed so that network drivers can connect networks together seamlessly, making it possible to bypass the application proxy. Moreover, the proxy may be bypassed if other application software runs on the firewall, because network drivers are designed to be shared by multiple applications.
For a proxy firewall to meet security requirements, the driver's standard routing functionality must be removed or disabled so that it cannot be restored while the firewall is operating. This is difficult to achieve using a standard computer and operating system for which source code is not generally available. However, there are examples of it having been done: eg Network Associates Inc. California, USA have a firewall product referred to as Gauntlet ® Firewall 5.0 for Windows. A proxy firewall can also built using non-standard operating systems. The British Defence Evaluation and Research Agency has a firewall toolkit referred to as "SWIPSY " which disables the routing function using labelling functionality from an operating system supplied by
Sun Microsystems Inc. called "Trusted Solaris™". Secure Computing Corporation Inc.,
Minnesota, USA has a firewall product referred to as "Sidewinder™" which uses a similar approach with a proprietary operating system that supports data typing.
One attempt to avoid the problem of inadvertent routing is to arrange that two networks to be linked are never directly connected; instead a switch switches the computer proxy host from one network to the other and back at regular intervals. Applications in different computers communicate with one another via the application proxy. Unfortunately, even this does not overcome the problem. Network drivers are designed to overcome failures and congestion in network media, typically by buffering communication requests and retrying them periodically, and this can allow unwanted communications to be transmitted.
It is also known to avoid inadvertent routing by physically switching connections, and this is done in a product referred to as "e-gap " from Whale Communications of Israel and New Jersey USA. A disc is connected via a switch to one computer or another in different networks. Application proxies in both computers communicate with applications on one respective side, and with the other proxy on the other, by transferring data through the shared disc. They control the switch jointly with a handshaking arrangement, and in effect control alternates between them. This approach however has the disadvantage that appropriate switch hardware is not a standard commodity component.
A proxy firewall may be referred to as a "dual-homed" firewall if (as is common) it involves a single computer with two network interfaces and respective network communications links with two different networks simultaneously: this is disclosed for example in published GB Pat. Appln No. 2,317,539A (inventors E B Stockwell and A E Klietz) and by D B Chapman and E D Zwicky in Firewall Design, January 1996, Sunworld Online. The drawback of this approach is that it is difficult to ensure that the computer's operating system software does not bypass its firewall application software by seamlessly routing traffic between the two interfaces - this is standard functionality in common operating systems such as Windows NT. An operating system may be modified to include special functionality to avoid the firewall being bypassed, for example as described by GB Pat. Appln No. 2,317,539A, but it is not provided by mainstream products. The need to provide special functionality means that the operating system becomes non-standard: it incurs the disadvantages of higher price, increased maintenance costs and reduced availability or even absence of commercial software support. It is an object of the invention to provide an alternative form of computer security device.
The present invention provides a computer security system comprising a proxy firewall computer incorporating software implementing an application proxy for controlling communication between first and second communications links, characterised in that the second communications link is a non-networked communications link actuated by means of a device driver and the computer is arranged to provide for communications passing via the second communications link to be subject to the restriction that they are obtained from or through the application proxy only.
For the purposes of this specification, the expression "non-networked communications link" means a communications link which the proxy firewall computer's operating system does not treat as a network communications link and will not automatically link it to a network link. Non-networked communications links are currently implemented by a combination of hardware and software, although this may be done in software only in future.
The invention provides the advantage that communication does not bypass the application proxy because of the use of a non-networked communications link and the restriction associated with access to that link: in consequence the application proxy can monitor traffic passing between the first and second communications links to apply business-specific checks, and the security controls found in mainstream operating systems can be applied to ensure these checks cannot be bypassed. Moreover, it is possible to implement the invention using standard hardware and, largely at least, standard software. The invention deals with a long-felt want by solving a problem for which there have been many failed or inadequate solutions as indicated above and as will be described later in more detail.
The restriction may be at least partly implemented by the application proxy receiving exclusive access to the communications link from the device driver or by the application proxy transforming conventional network communications to a format transmissible by the communications link.
The communications link may transmit data receivable by any other computer or network connected to it without regard to a data address, and the communications link may be a serial data link such as an RS232, IEEE488 or IEEE1394 data link.
The proxy firewall computer may be one of a plurality of like proxy firewall computers each providing security for a respective associated computer or computer network, the communications link being common to each firewall computer in normal operation the proxy firewall computers being connected simultaneously to it.
The or as the case may be each proxy firewall computer may provide security for an associated computer or computer network connected thereto by a network link suitable for conventional network communications.
In another aspect, the present invention provides computer software for a proxy firewall computer and implementing an application proxy for controlling communication between first and second communications links, characterised in that the second communications link is a non-networked communications link, the software is arranged to implement a device driver for the second communications link and to provide for communications passing via the second communications link to be subject to the restriction that they are obtained from or through the application proxy only.
The restriction may be at least partly implemented by the application proxy receiving exclusive access to the communications link from the device driver or by the software being configured to provide or accept a data format appropriate for the communications link but unsuitable for transmitting conventional network communications. The data format may unaddressed and serial. The software of the invention may be configured to implement a proxy firewall providing security for an associated computer or computer network communicating therewith by a network link suitable for conventional network communications.
In a further aspect, the present invention provides a method of providing security for a computer system comprising a proxy firewall computer incorporating software implementing an application proxy and a device driver for controlling communication between first and second communications links, characterised in that the second communications link is a non-networked communications link actuated by means of a device driver and the method includes providing for communications passing via the second communications link to be subject to the restriction that they are obtained from or through the application proxy only.
Communications may be restricted by the application proxy receiving exclusive access to the communications link from the device driver or by the application proxy transforming conventional network communications to a data format transmissible by the communications link. The data format may not require a data address indicating a recipient, and may be a serial data format.
In order that the invention might be more fully understood, embodiments thereof will now be described, by way of example only, with reference to the accompany drawings, in which:
Figures 1 to 9 are schematic block diagrams of prior art computer systems;
Figure 10 is a schematic block diagram of a computer security system of the invention;
Figure 11 illustrates communication between application software and application proxies in the system of Figure 1 ; Figures 12 and 13 indicate software items suitable for use in the system of Figure 1; and
Figure 14 illustrates five networking arrangements implementing the invention.
Referring to Figure 1 , a simplified structure of a prior art computer indicated generally by 10 is shown as a combination of application software 12, system call interface 14, device driver software 15 within an operating system (not shown), a bus 16 for a central processing unit (CPU) and peripherals, electronic device hardware 18 and a connection 20 to external facilities (not shown). The expression "application software" is used to indicate a computer program which runs on a computer to perform a task, and is distinguished from a "software tool" used to work on computer programs.
Application software 12 makes requests to send and receive data to the hardware device 18 by making operating system calls to driver software 15. The driver software 15 services requests by controlling the hardware device 18, usually in accordance with some complex protocol. It is unusual for the application's request to be mapped in a direct manner to the way the device 18 operates. The hardware device 18 receives commands and data from the driver 15, and sends status information and data back to it. The device 18 may contain storage such as a disc (not shown), and as illustrated it has an external connection 20 to other devices such as a computer network (not shown). Devices of this kind usually have either a disc or a network card, but could have both.
Referring now to Figure 2, there is shown a more complex form of prior art computer 30 with more than one hardware device 32 and an operating system containing multiple drivers 34 in two layers indicated by suffixes a and b. The drivers 34 are structured into layers: in some cases a driver 34a calls on the services of another driver 34b rather than driving a device 32 directly, and application software 38 may be connected to all drivers 34a in a layer. It is also possible to have more than one driver 34a use another driver 34b (as shown) or device (not shown). As shown in Figure 3, whera parts previously described are like-referenced with an added suffix a or b, computers 10a and 10b may be connected to a network indicated by a connection 40 allowing applications on different computers to communicate and exchange data. They may communicate with each other by making requests of their operating systems' network driver software 15 a/ 15b. The drivers 15a and 15b handle these requests to send and receive data and map them, using complex protocols, into commands to the hardware network devices 18a and 18b, between which data is passed across a network medium 40.
Referring now to Figure 4, there is shown a prior art network 50 arranged to provide some degree of computer security. Parts equivalent to those previously described are like-referenced with an added suffix c or d. Two computers 10c and lOd are joined together to form a single logical network using a special computer 52 called a router and indicated within dotted lines. The router 52 incorporates network driver software 54 and two hardware network devices 56 connected via communications links 58 and 60 to the computers 10c and lOd respectively. It does not run application software.
The driver software 54 in the router 52 joins the computers 10c and lOd together seamlessly, in that their operation and communication with one another is unaffected by the fact that they are not connected together directly but instead indirectly through the router's driver 54. When they communicate through the router 52, the latter appears to each of the computers 10c and lOd to be the other. As has been said, the router 52 has no application software, and so rather than passing data to such an application, the driver 54 passes data from one device 56 to the other and thereby across from one computer 10c or 1 Od to the other.
While routers can make communication between different networks seamless, it is possible to configure them to restrict what communication can take place by imposing restrictions on kinds of communication that the router will replay. The effect of this is to place constraints upon a network service available to software applications in communicating computers, instead of upon communications between applications. Constraints so applied usually do not relate directly to the nature of communications between software applications and cannot accurately reflect this. Routing functionality is found in conventional computers (e.g. those running NT and Unix operating systems) as well as special routers.
Referring now to Figures 5, 6 and 7, there are shown three representations of a prior art approach to secure computer networking: parts equivalent to those previously described are like-referenced with an added suffix e or f. Two computers lOe and lOf are shown and are linked together by a special type of computer indicated within chain lines 70 and referred to as a proxy firewall (or bastion host firewall). The proxy firewall 70 is equivalent to a router 52 (see Figure 4) with the addition of an application proxy 72 which controls operation of the router's network device driver 54e. In addition to connecting the communicating computers lOe and lOf together, the proxy firewall computer 70 also runs the application proxy 72. The application proxy 72 is in effect interposed between software applications running on different computers lOe and lOf in order to impose meaningful control on communication between them. The network device driver 54e does not connect the communicating computers lOe and 1 Of together in a seamless way. Instead, applications on these computers communicate via the application proxy 72. To a software application running on one of the computers lOe and 1 Of the application proxy 72 mimics the behaviour of an application running on the other, so these applications behave as if they were communicating directly with one another, whereas in fact communication is intended to be indirect and relayed through the application proxy 72. The proxy 72 may be configured to check communication taking place between applications (as opposed to constraining a network), and impose any restrictions that might be required.
An application proxy 72 is nothing more than a special software application which can run on a standard computer providing the proxy firewall 70. Unfortunately, standard computers are designed so that their network drivers 54e can connect communicating computers lOe and 1 Of together in a seamless fashion. In consequence it is possible for these computers to bypass the application proxy 72 via the driver 54e as shown in Figure 6 by a dotted line 74. As shown in Figure 7, the application proxy 72 may also be bypassed if the proxy firewall 70 runs other application software 76 via which the computers lOe and lOf may communicate as indicated by a dotted line 78. This is because a typical network driver 54e is designed to be shared by multiple applications.
For a proxy firewall to meet the security requirement, the network driver's standard routing functionality must be removed or disabled in such a way that it cannot be restored under any circumstances while the firewall is operating. This is difficult to achieve and it is even more difficult to verify that it has been achieved, given the desire to use a standard computer and operating system software for which source code is not generally available.
Proxy firewalls have been built using non-standard operating systems having labelling functionality or supporting data typing.
Referring now to Figure 8, there is shown a further prior art approach to secure computer networking: parts equivalent to those previously described are like-referenced with an added suffix g, h or i. Two computers lOg and lOh are linked together by links 58g and 60h and a third computer 70i providing another form of firewall. The arrangement is equivalent Figures 5, to 7 with devices 56e and 56f replaced by the combination of a single device 56i and a switch 80, which together with a driver 54i and application proxy 72i are incorporated in a firewall computer 70i. The switch 80 provides a connection from the firewall computer 70i to one of the computers lOg and lOh or the other but not to both simultaneously. It breaks the connection to one of these computers before connecting to the other, so the two computers lOg and lOh are always electrically isolated from one another.
A timer, which acts independently of the firewall computer 70i, changes the switch connection between the two computers lOg and lOh at regular intervals. Applications
12g and 12h running on respective computers lOg and lOh communicate with each other via the application proxy, but cannot succeed in doing so immediately when the switch 80 is disconnected. This switching technique is therefore only really suitable for applications which respond to communication failures by storing data to be communicated and repeatedly attempting to establish communication at intervals, such as electronic mail applications.
Unfortunately, the switching technique does not overcome the secure network problem. Network drivers 54 are designed to overcome failures and congestion in networks, typically by buffering or storing communication requests and retrying them periodically should an error occur. It is therefore is possible for the driver 54i to accept requests from one computer, while the switch is thrown in that direction, and buffer them until the switch is thrown to the other computer. This means that a communication which the application proxy 72i would have rejected bypasses the latter and becomes routed via the driver 54i. Another disadvantage of the switching technique is that the switch 80 introduces considerable latency or delay in the communication between applications, which makes it unsuitable for web browsing and other forms of interactive communication.
Referring now to Figure 9, there is shown a further prior art approach to secure computer networking: parts equivalent to those previously described are like-referenced with an added suffix j or k. Two computers lOj and 10k are associated with respective firewall computers 70j and 70k connectable by a switch 88 to a disc memory 90. The switch 80 provides a connection from the disc 90 to one of the firewall computers 70j and 70k or the other (and thence to the respective associated computer lOj or 10k), but not to both simultaneously. It breaks the connection to one firewall before connecting to the other, so only one of the two computers 1 Oj and 10k can communicate with the disc at any time. Application proxies 72j and 72k in the firewalls 70j and 70k communicate with respective software applications 12j and 12k in associated computers lOj and 10k to one side and with the disc 90 on the other side. They each have different paths for communication with the disc 90 and respective associated computers lOj and 10k so that they cannot be bypassed. They communicate with one another by transferring data through the shared disc 90, ani they control the switch 88 by sending commands sent through driver software 54j/54k to device hardware 56j/56k.
Driver software for discs is quite different to that used to control computer network devices, it is highly unlikely that the driver software 54j/54k will use the disc to connect the two computer/firewall combinations 10j/70j and 10k/70k seamlessly: in consequence the application proxies 72j/72k are unlikely to be bypassed. The problem of latency is avoidable by using a fast disc 90 and a switch 88 controlled by the application proxies 72j and 72k. The drawback of this approach is that switch hardware is not a standard commodity component.
Referring now to Figure 10, there is illustrated a secure computer network 100 in accordance with the present invention: parts equivalent to those previously described are like-referenced with an added suffix m or n. Two computers 10m and 1 On are associated with respective proxy firewalls 70m and 70n indicated within dotted lines (each computer 10m or lOn could be replaced by a computer network). Application proxies 72m and 72n in respective firewalls 70m and 70n communicate via network media 58m and 60n with respective software applications 12m and 12n in associated computers 10m and lOn to one side in each case and with each other via a link medium 102 on the other side.
The network media 58m and 60n connecting the proxy firewalls 70m and 70n to respective computers or networks 10m and lOn are standard network communication devices which transmit conventional network communications. However, the link medium 102 connecting the proxy firewalls 70m and 70n together will not transmit conventional network communications because their drivers 54m and 54n do not allow its use to be shared by two or more applications: this avoids a proxy 72m or 72n being bypassed. In addition, some link media, eg RS232, don't allow addressing, and that is an advantage because it means there is less to go wrong. Some link media such as IEEE488 and 1394 do implement addresses, but only to distinguish computers or devices attached to them, and not individual applications running a computer; this is for example unlike TCP/IP (the standard protocol for network communication) where an IP address identifies a computer and a "port or socket number" identifies an application with a computer.
The link medium 102 comprises communications link devices which may be serial or parallel data links, and may operate synchronously or asynchronously, e.g. RS232, IEEE488 or IEEE1394. These links transmit data as a stream of bytes receivable by any computer connected to them provided that it is programmed appropriately to process data in this form. Unlike conventional network links, they supply data to any computer connected to them without regard to recipient address(es) which would be embedded in data passed through a network. Applications software 12m and 12n communicate with one another via the series arrangement of the two application proxies 72m and 72n connected by the link medium 102.
Ignoring software changes to be described later, the Figure 10 arrangement is equivalent to that of Figure 9 with removal of the switch 88 and disc 90 and insertion of the link medium 102 connecting an innermost pair of hardware devices 56m and 56n. For communication with the other proxy in each case, and as in Figure 9, each application proxy 72m or 72n has a path which is different to that for communication with the respective associated computer 10m or lOn: it therefore cannot be bypassed; each path includes a respective software driver 54m or 54n and network device 56m or 56n.
The invention may be used to connect individual computers as shown in Figure 10, or computer networks. It employs a separate proxy firewall 70m or 70n for each computer or network to be connected.
Although at first sight computer security in the prior art of Figure 9 would seem to be derived from physical isolation provided by a switch 88, this is not in fact the case. For the purposes of the present invention, it has been appreciated that the inability of network drivers 54k/54j to link the firewalls 70j and 70k directly together arises because a device (ie the disc 90) not normally used for network traffic is used to connect the networks. Thus the special purpose switch 88 is not essential, and in accordance with the invention it may be replaced by standard hardware intended for non-networked communication between computers, ie a link medium 102 such as a serial data link or a dual port disc for connection to two computers.
Since network driver software does not normally use a communications link medium 102 for networked communication, it is unlikely that the network drivers 54m and 54n will seamlessly connect the two computers 10m and lOn. However, networked communication across the link medium 102 is possible, eg dial-up connections: this conflicts with the computer security requirement and it is therefore necessary to check the network 10m/70m/10n 70n shown in Figure 10 to ensure that it is not the case. The required check involves examining the driver structure of the proxy firewalls 70m and 70n. It is necessary to establish that no driver 54m or 54n provides access both to the associated computer 10m or lOn and to the link medium 102. The respective application proxy 72m or 72n is then arranged to obtain exclusive access to the driver 54m or 54n connected directly to the link medium 102: this provides confidence that the only communication taking place between the firewalls 70m and 70n through the link medium 102 passes through both application proxies 72m and 72n.
The applications 12m and 12n which are communicating with one another may be the same type of software at different sites, for example two video conference applications such as "NetMeeting" supplied by the Microsoft Corporation (USA), or different software - for example a web browser such as Netscape Navigator® from the Netscape Communications Corporation (USA) and a web server such as that supplied by the Apache Software Foundation (USA). These examples both involve user interaction, but it is equally possible for server applications to communicate with each other without human intervention, for example two databases exchanging update information.
Regardless of the nature of the applications which are communicating with one another, their communication will use some application specific protocol: video conferencing might use protocol H.323 and for web browsing it is likely to be protocol HTTP. In all cases one software application makes a request which is passed to the other via the firewalls 70m and 70n and link medium 102, causing the other to take some action and return a response. The application proxies 72m and 72n are written specifically for the relevant protocol actually used by the communicating applications 12m and 12n. They have exactly the same external interface as the applications 12m and 12n and mimic their behaviour, except that they may also make some additional security checks.
Referring now also to Figure 11 , which illustrates the nature of communication between elements of Figure 10, when one application 12m or 12n sends a request indicated by an arrow to the other, the request is passed to its associated application proxy 72m or 72n on the same side of the link medium 102. The relevant application proxy 72m or 72n applies any appropriate security checks and, if the latter are satisfied, it passes the request on to the other application proxy 72n or 72m via the link medium 102. If the security checks are not satisfied, it may modify the request to meet them if that is possible and then pass on the version so modified, or reject it if such modification is not possible. On receipt of a request 112, the other application proxy 72n or 72m makes further security checks upon it and modifies it once more to meet them if necessary, and then if the request with any required modifications satisfies the checks it is passed at 114 to the application software 12n or 12m in the associated computer lOn or 10m.
On receipt of a request at 114, the other application 12n or 12m takes action as indicated in the request and constructs a reply which is sent at 116 to its associated application proxy 72n or 72m on the same side of the link medium 102. This proxy 72n or 72m applies to the reply the procedure described above of security check/modify if necessary: if the procedure is satisfied, at 118 it passes the reply or a modified equivalent to the other application proxy 72m or 72n via the link medium 102. On receipt of a reply at 118, the other application proxy 72m or 72n repeats the procedure of security check/modify if necessary: if the procedure is satisfied the reply as modified where necessary is passed at 120 to the application software 12m or 12n in the associated computer 10m or lOn. Referring now to Figure 12, tire application proxies 72m and 72n may be a combination of off-the-shelf and specially written (bespoke) software. Proxy software for the protocol known as SMTP may be obtained from the Internet Firewall Toolkit of Trusted Information Systems Inc, USA (now Network Associates Inc. USA). This software provides a receiver 140 which places in a file each incoming SMTP message and relays it to decomposing software 142 such as "MIMEsweeper" from Integralis Network Systems Inc. The latter accepts compound electronic mail messages formatted in accordance with the SMTP/MIME standard and decomposes them into their constituent components (eg message body and attachments) which it passes to a virus checker available commercially from numerous vendors. It modifies the message if necessary by removing any unwanted components, places the message (including any modifications) in a file and sends it to an SMTP sender 144 for formatting into an SMTP message and onward transmission.
The combination of items shown in Figure 12 provides an application proxy for electronic mail. It may be implemented as indicated in Figure 10 by the applications 12m and 12n being e-mail applications, one application proxy 72m containing software for an SMTP receiver 140 and a file transmitter and the other application proxy 72n containing software for a file receiver, MIMEsweeper decomposing software 142 and an SMTP sender 144. The file transmitter formats messages as appropriate for the link medium 102 and the file receiver reformats them to the SMTP/MIME standard. MIMEsweeper modifies a message if necessary and passes it to the SMTP sender 144 for transmission to the e-mail application software 12n. Sof ware for the file transmitter and receiver are not standard items but are straightforward to write and will not be described. Part of the "One Way Link" product from the Secure Knowledge Company Ltd (UK) would be suitable to provide a file receiver and an SMTP sender 144, provided that it was modified to replace network link software by a suitable driver for the link medium 102. Similar firewall arrangements may be constructed for protocols other than SMTP simply by using appropriate proxies. This protects the e-mail application 12n against incoming mail. If it is required to protect the other e-mail application 12m in the same way, both application proxies 72m and 72n are required to contain software for an SMTP receiver 140, a file transmitter, a file receiver, decomposing software 142 and an SMTP sender 144. A further option is to isolate the decomposing software 142 in another computer: ie in the previous example the link medium 102 is replaced by two links connected to another computer running decomposition software. The second application proxy 72n contains a file receiver and an SMTP sender 144, but no longer runs decomposition software. This is in effect two examples of the invention back to back with the added advantage that crucial checks are more isolated from unwanted intrusion.
Implementation of a firewall of the invention is dependent on the software and hardware combination to be employed, particularly the driver software configuration. The following considerations need to be taken into account. In a conventional computer driver software is part of the computer's operating system, and is provided either by the operating system vendor or by the computer hardware vendor, or partly by each. Driver software provides software applications with an interface to link medium 102. The standard protocol for network communication is called TCP/IP, while the simplest form of non-networked communications link is an RS232 serial line with an interface that allows applications to send and receive bytes of data. A TCP/IP driver allows software applications to make connections and exchange data. The drivers are such that many applications on many computers may be exchanging data at any time. So it is important for firewall construction to take into account the crucial fact that network devices can be shared but serial devices cannot.
The passing of requests and replies between two software applications is often implemented using sockets which one application monitors for connection requests and to which the other connects. Once the connection is established, it is used to pass data consisting of a request or reply from one application to the other. In the case of web browsing, a web server monitors a socket to which a browser makes a connection and uses it to pass an HTTP request to the server. The server constructs a reply and returns it using the connection. The connection may be used for further requests, but it is closed if not needed.
A feature of TCP/IP drivers is that they may be configured to forward to other computers data and connection requests directed to them. Thus a connection request that is directed at one computer may be passed to another. This feature presents a security hazard because if it is enabled on a computer that hosts an application proxy, that proxy may be bypassed.
Referring now to Figure 13, there is illustrated schematically the software configuration of an example of the invention employing a link medium in the form of an RS232 serial link 150. An application proxy 152 running on one computer (not shown) formulates a request or reply, changes it into a byte stream and sends it to link driver software 154. On receipt of a send request, the link driver 154 passes the byte stream to the RS232 serial link 150, which transmits it to a second link driver 156 running on a remote computer (not shown) hosting another application proxy 158. 'When the second link driver 156 obtains a receive request from its associated application proxy 158, it takes the byte stream from the serial link 150 and passes it to the proxy 158 which converts it back into the format of the original request or reply at 152. The two application proxies 152 and 158 can only exchange requests and replies using the RS232 serial link 150.
Moreover, because of the byte stream format requirement, the link 150 is unsuitable for connecting other software applications and is not appropriate for conventional network connections. This means that most if not all software applications capable of networking and running on the same computers as the proxies 152 and 158 will be unable to short circuit the latter and communicate directly via the link 150 because they do not generate an acceptable data format. An RS232 link sends one bit at a time. Other links send more than one bit in parallel but are otherwise serial, and may also exhibit this non- networking property eg IEEE488 and IEEE 1394: as previously mentioned they use addresses to identify computers or devices but not applications within computers. It is a feature of a driver for RS232 and some other link media that it is capable of granting access to one software application to the exclusion of all others. In the present example of Figure 13, when the computers are switched on, the application proxies 152 and 158 running on them claim exclusive access to the associated link drivers 154 and 156 respectively. This prevents any other software running on one or other of the computers from using the link and thus bypassing the proxy's checks.
Referring now to Figure 14, there are shown schematically five different forms of computer firewall configurations of the invention SI to S5. Computer networks and firewalls are indicated by N and F respectively, and network links (equivalent to 58 or 60) by NL and non-networked links by L (equivalent to 102), differentiated by a following integer in each case.
Configuration SI is equivalent to Figure 10, having two computer networks Nl and N2 connected to respective firewall computers FI and F2 via network links NL1 and NL2, the firewalls being connected by a non-networked link LI. Configuration S2 differs from configuration SI only in that there are two connections L2a and L2b between firewall computers F3 and F4, which increases speed of communication; standard hardware devices are available which drive two links in this way.
Configuration S3 is equivalent to two versions of SI with one network N5 common to both. Network N5 is connected to two different computer networks N6 and N7 via respective pairs of firewall computers F5a/F6 and F5b/F7. Configuration S4 differs from configuration S3 only in that the two firewall computers F5a and F5b connected directly to the first network N5 are replaced by a single firewall computer F8 connected to network N8: this reduces the number of computers and therefore also costs. Configuration S5 is as configuration S4 with the addition of a further non-networked link L6 between a right hand pair of firewall computers F12 and F14 enabling communication between two networks N12 and N14 without involving a network Ni l to the left. Many other configurations are possible.

Claims

1. A computer security system comprising a proxy firewall computer incorporating software implementing an application proxy for controlling communication between first and second communications links, characterised in that the second communications link is a non-networked communications link actuated by means of a device driver and the computer is arranged to provide for communications passing via the second communications link to be subject to the restriction that they are obtained from or through the application proxy only.
2. A computer security system according to Claim 1 characterised in that the said restriction is at least partly implemented by the application proxy receiving exclusive access to the communications link from the device driver.
3. A computer security system according to Claim 1 or 2 characterised in that the said restriction is at least partly implemented by the communications link being unsuitable for transmitting conventional network communications and by the application proxy transforming conventional network communications into a different format transmissible by the communications link.
4. A computer security system according to Claim 3 characterised in that the communications link transmits data receivable by any other computer or network connected to it without regard to a data address.
5. A computer security system according to Claim 3 or 4 characterised in that the communications link is a serial data link.
6. A computer security system according to Claim 5 characterised in that the communications link is an RS232, IEEE488 or IEEE1394 data link.
7. A computer security system according to any preceding claim characterised in that the proxy firewall computer is one of a plurality of like proxy firewall computers each providing security for a respective associated computer or computer network and wherein the communications link is common to each firewall computer.
8. A computer security system according to Claim 1 characterised in that the proxy firewall computer is one of a plurality of like proxy firewall computers each providing security for a respective associated computer or computer network, and in normal operation the proxy firewall computers are connected simultaneously to the communications link.
9. A computer security system according to any preceding claim characterised in that in normal operation the or as the case may be each proxy firewall computer provides security for an associated computer or computer network connected thereto by a network link suitable for conventional network communications.
10. Computer software for a proxy firewall computer and implementing an application proxy for controlling communication between first and second communications links, characterised in that the second communications link is a non-networked communications link, the software is arranged to implement a device driver for the second communications link and to provide for communications passing via the second communications link to be subject to the restriction that they are obtained from or through the application proxy only.
1 1. Computer software according to Claim 10 characterised in that the said restriction is at least partly implemented by the application proxy receiving exclusive access to the communications link from the device driver.
12. Computer software according to Claim 10 or 11 characterised in that the said restriction is at least partly implemented by the software being configured to provide or accept a data format appropriate for the communications link but unsuitable for transmitting conventional network communications.
13. Computer software according to Claim 12 characterised in that the data format is unaddressed.
14. Computer software according to Claim 12 or 13 characterised in that the data format is serial.
15. Computer software according to any one of Claims 10 to 14 characterised in that it is configured to implement a proxy firewall providing security for an associated computer or computer network communicating therewith by a network link suitable for conventional network communications.
16. A method of providing security for a computer system comprising a proxy firewall computer incorporating software implementing an application proxy and a device driver for controlling communication between first and second communications links, characterised in that the second communications link is a non-networked communications link actuated by means of a device driver and the method includes providing for communications passing via the second communications link to be subject to the restriction that they are obtained from or through the application proxy only.
17. A method according to Claim 16 characterised in that communications are restricted by the application proxy receiving exclusive access to the communications link from the device driver.
18. A method according to Claim 16 or 17 characterised in that communications are restricted at least partly by the communications link being unsuitable for transmitting conventional network communications and by the application proxy transforming conventional network communications to a data format transmissible by the communications link.
19. A method according to Claim 18 characterised in that the data format does not require a data address indicating a recipient.
20. A method according to Claim 18 or 19 characterised in that the data format is serial data.
21. A method according to Claim 16 characterised in that according to Claim 1 characterised in that the proxy firewall computer is one of a plurality of like proxy firewall computers providing security for respective associated computers or computer networks and connected simultaneously to the communications link.
22. A method according to any one of Claims 16 to 21 characterised in that in normal operation the or as the case may be each proxy firewall computer provides security for an associated computer or computer network connected thereto by a network link suitable for conventional network communications.
PCT/GB2001/000154 2000-02-11 2001-01-16 Computer security system WO2001060019A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001225366A AU2001225366A1 (en) 2000-02-11 2001-01-16 Computer security system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0003018A GB0003018D0 (en) 2000-02-11 2000-02-11 Computer security system
GB0003018.9 2000-02-11

Publications (1)

Publication Number Publication Date
WO2001060019A1 true WO2001060019A1 (en) 2001-08-16

Family

ID=9885283

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2001/000154 WO2001060019A1 (en) 2000-02-11 2001-01-16 Computer security system

Country Status (3)

Country Link
AU (1) AU2001225366A1 (en)
GB (1) GB0003018D0 (en)
WO (1) WO2001060019A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10218811A1 (en) * 2002-04-26 2003-11-20 Siemens Ag Data packet transmission method for communications system using performance enhancing proxy devices for improving transmission performance of at least part of transmission link
EP1594052A2 (en) * 2004-04-30 2005-11-09 Microsoft Corporation VEX - Virtual extension framework
US7900254B1 (en) 2003-01-24 2011-03-01 Mcafee, Inc. Identifying malware infected reply messages

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2317539A (en) * 1996-09-18 1998-03-25 Secure Computing Corp Firewall for interent access
JPH10334008A (en) * 1997-05-16 1998-12-18 Internatl Business Mach Corp <Ibm> Network security system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2317539A (en) * 1996-09-18 1998-03-25 Secure Computing Corp Firewall for interent access
JPH10334008A (en) * 1997-05-16 1998-12-18 Internatl Business Mach Corp <Ibm> Network security system
US6032259A (en) * 1997-05-16 2000-02-29 International Business Machines Corporation Secure network authentication server via dedicated serial communication path

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TINY SOFTWARE: "WinRoute Pro 4.1 for Windows 98/NT/2000", FIREWALL PRODUCT FUNCTIONAL SUMMARY, 30 May 1999 (1999-05-30), pages 01 - 16, XP002171588, Retrieved from the Internet <URL:http://www.icsalabs.com/html/communities/firewalls/certification/vendors/tinysoftware/winroute/nt/pfd.pdf> [retrieved on 20010618] *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10218811A1 (en) * 2002-04-26 2003-11-20 Siemens Ag Data packet transmission method for communications system using performance enhancing proxy devices for improving transmission performance of at least part of transmission link
DE10218811B4 (en) * 2002-04-26 2006-05-24 Siemens Ag Method and apparatus for transmitting data packets in a radio communication system using a PEP
US7900254B1 (en) 2003-01-24 2011-03-01 Mcafee, Inc. Identifying malware infected reply messages
EP1594052A2 (en) * 2004-04-30 2005-11-09 Microsoft Corporation VEX - Virtual extension framework
EP1594052A3 (en) * 2004-04-30 2006-02-01 Microsoft Corporation VEX - Virtual extension framework
CN100426238C (en) * 2004-04-30 2008-10-15 微软公司 VEX - virtual extension framework
US7574709B2 (en) 2004-04-30 2009-08-11 Microsoft Corporation VEX-virtual extension framework
US8327390B2 (en) 2004-04-30 2012-12-04 Microsoft Corporation VEX—virtual extension framework

Also Published As

Publication number Publication date
AU2001225366A1 (en) 2001-08-20
GB0003018D0 (en) 2000-03-29

Similar Documents

Publication Publication Date Title
EP1164766B1 (en) Switch connection control apparatus for channels
US6425015B1 (en) Stacked communication devices and method for port mirroring using modified protocol
US7506058B2 (en) Method for transmitting information across firewalls
US5953340A (en) Adaptive networking system
JP5529251B2 (en) Method and system for providing a logical network layer for transmitting input / output data
JPH02501787A (en) Input/output network for computer systems
US20060256814A1 (en) Ad hoc computer network
JP2009535923A (en) Virtual serial configuration for network devices
US10795912B2 (en) Synchronizing a forwarding database within a high-availability cluster
JP2002141952A (en) Virtual network and virtual network connection system
US6625147B1 (en) Communications network control system
US20060256717A1 (en) Electronic packet control system
US20060227703A1 (en) Operating method for dynamic physical network layer monitoring
WO1999029072A1 (en) Trunking in stacked communication devices
WO2001060019A1 (en) Computer security system
JP3834858B2 (en) Data transmission apparatus and method
CA2439726A1 (en) Connection-oriented communication network and method of operating
Cisco Troubleshooting IBM
Cisco Troubleshooting IBM
Cisco Troubleshooting IBM
Cisco Troubleshooting IBM
Cisco Troubleshooting IBM
JP4826250B2 (en) Polling communication system and server system
Cisco General Commands
Cisco Troubleshooting IBM

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP