System and method for increasing the resiliency of firewall systems

US 6,684,329 B1
Filed: 12/30/1999
Issued: 01/27/2004
Est. Priority Date: 07/13/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A computer system that implements a security barrier between a first computer network region and a second computer network region, the computer system comprising:

at least one proxy agent running on the computer system, said at least one proxy agent being operative to mediate traffic between a first computer network region and a second computer network region;

at least one first software wrapper application running on the computer system, said at least one first software wrapper application associated with said at least one proxy agent and being operative to constrain at least one element of behavior of said at least one proxy agent; and

at least one second software wrapper application running on the computer system, said at least one second software wrapper application being operative to prevent other applications on the computer system from interfering with said at least one proxy agent and said at least one first software wrapper application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for minimizing the likelihood of flaws in a firewall proxy is disclosed. Software wrappers are used to introduce fine-grained controls on the operation of existing proxy applications. These fine-grained controls create an extra measure of assurance that bugs (or malicious software) will not subvert the intent of the firewall. To provide even further assurance, the firewall system can be totally wrapped. A totally wrapped system includes a wrapper for the proxies plus a separate wrapper for everything else on the firewall system that can potentially interfere with the wrappers and the proxies. The software wrappers can also be integrated with an intrusion detection system. The fine-grained controls of the software wrapper enables it to be uniquely positioned to generate alerts based on an indication that a flaw exists in the proxy and that the proxy is misbehaving.

65 Citations

View as Search Results

29 Claims

1. A computer system that implements a security barrier between a first computer network region and a second computer network region, the computer system comprising:
- at least one proxy agent running on the computer system, said at least one proxy agent being operative to mediate traffic between a first computer network region and a second computer network region;
  
  at least one first software wrapper application running on the computer system, said at least one first software wrapper application associated with said at least one proxy agent and being operative to constrain at least one element of behavior of said at least one proxy agent; and
  
  at least one second software wrapper application running on the computer system, said at least one second software wrapper application being operative to prevent other applications on the computer system from interfering with said at least one proxy agent and said at least one first software wrapper application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer system of claim 1, wherein said at least one proxy agent is an application level proxy agent.
  - 3. The computer system of claim 1, wherein said at least one first software wrapper application and said at least one second software wrapper application are kernel loadable modules.
  - 4. The computer system of claim 1, wherein said at least one second software wrapper application prevents other applications from binding ports used by said at least one proxy agent.
  - 5. The computer system of claim 1, wherein said at least one second software wrapper application prevents other applications from modifying said at least one first software wrapper application.
  - 6. The computer system of claim 1, wherein said at least one second software wrapper application prevents other applications from modifying a configuration file used by said at least one proxy agent.
  - 7. The computer system of claim 1, wherein said at least one second software wrapper application prevents other applications from modifying a shared library used by said at least one proxy agent.
  - 8. The computer system of claim 1, wherein said proxy agents and software wrappers can be run on a UNIX operating system.
  - 9. The computer system of claim 1, wherein said proxy agents and software wrappers can be run on a Windows NT operating system.
  - 10. The computer system of claim 1, wherein said at least one first software wrapper application is capable of generating an alert for an intrusion detection system based on an analysis of the operation of said at least one proxy agent.

11. A firewall computer system that implements a security barrier between a first computer network region and a second computer network region, the firewall computer system comprising:
- at least one proxy agent running on the firewall computer system, said at least one proxy agent being operative to mediate traffic between a first computer network region and a second computer network region; and
  
  at least one software wrapper application running on the firewall computer system, said at least one software wrapper application associated with said at least one proxy agent and being operative to constrain at least one element of behavior of said at least one proxy agent.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The firewall computer system of claim 11, wherein said at least one proxy agent is an application level proxy agent.
  - 13. The firewall computer system of claim 11, wherein said at least one software wrapper application is a kernel loadable module.
  - 14. The firewall computer system of claim 11, wherein said at least one software wrapper application prevents said at least one proxy agent from executing a disallowed administrative call.
  - 15. The firewall computer system of claim 11, wherein said at least one software wrapper application prevents said at least one proxy agent from writing to a file system.
  - 16. The firewall computer system of claim 11, wherein said at least one software wrapper application prevents said at least one proxy agent from executing a disallowed file system operation.
  - 17. The firewall computer system of claim 11, wherein said at least one software wrapper application prevents said at least one proxy agent from binding to a disallowed port.
  - 18. The firewall computer system of claim 11, wherein said proxy agents and software wrappers can be run on a UNIX operating system.
  - 19. The firewall computer system of claim 11, wherein said proxy agents and software wrappers can be run on a Windows NT operating system.
  - 20. The firewall computer system of claim 11, wherein said at least one software wrapper application is capable of generating an alert for an intrusion detection system based on an analysis of the operation of said at least one proxy agent.

21. A computer program product for enabling a processor in a computer system to implement a security barrier between a first computer network region and a second computer network region, said computer program product comprising:
- a computer usable medium having computer readable program code means embodied in said medium for causing a program to execute on the computer system, said computer readable program code means comprising;
  
  a first computer readable program code means for enabling the computer system to implement a proxy agent, said proxy agent being operative to mediate traffic between said first computer network region and said second computer network region;
  
  a second computer readable program code means for enabling the computer system to implement a first software wrapper application, said first software wrapper application associated with said proxy agent and being operative to constrain at least one element of behavior of said proxy agent; and
  
  a third computer readable program code means for enabling the computer system to implement a second software wrapper application, said second software wrapper application being operative to prevent other applications on the computer system from interfering with said proxy agent and said first software wrapper application.

22. A computer program product for enabling a processor in a computer system to implement a security barrier between a first computer network region and a second computer network region, said computer program product comprising:
- a computer usable medium having computer readable program code means embodied in said medium for causing a program to execute on the computer system, said computer readable program code means comprising;
  
  a first computer readable program code means for enabling the computer system to implement a proxy agent, said proxy agent being operative to mediate traffic between said first computer network region and said second computer network region; and
  
  a second computer readable program code means for enabling the computer system to implement a software wrapper application, said software wrapper application associated with said proxy agent and being operative to constrain at least one element of behavior of said proxy agent.

23. A method in a firewall computer system for implementing a security barrier between a first computer network region and a second computer network region, the method comprising the steps of:
- (a) wrapping at least one proxy agent running on a computer system using at least one first software wrapper application, said at least one first software wrapper application associated with said at least one proxy agent and being operative to constrain at least one element of behavior of said at least one proxy agent; and
  
  (b) wrapping other applications on the computer system using at least one second software wrapper application, said at least one second software wrapper application being operative to prevent said other applications on the computer system from interfering with said at least one proxy agent and said at least one first software wrapper application.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The method of claim 23, wherein steps (a) and (b) comprise the step of wrapping using a kernel loadable module.
  - 25. The method of claim 23, wherein step (b) comprises the step of wrapping other applications on the computer system using a wrapper application that prevents other applications from binding ports used by said at least one proxy agent.
  - 26. The method of claim 23, wherein step (b) comprises the step of wrapping other applications on the computer system using a wrapper application that prevents other applications from modifying said at least one first software wrapper application.
  - 27. The method of claim 23, wherein step (b) comprises the step of wrapping other applications on the computer system using a wrapper application that prevents other applications from modifying a configuration file used by said at least one proxy agent.
  - 28. The method of claim 23, wherein step (b) comprises the step of wrapping other applications on the computer system using a wrapper application that prevents other applications from modifying a shared library used by said at least one proxy agent.
  - 29. The method of claim 23, wherein step (a) comprises the step of wrapping at least one proxy agent on the computer system using a wrapper application that generates an alert for an intrusion detection system based on an analysis of the operation of said at least one proxy agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
Thomas, Linda, Epstein, Jeremy
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/475,943
Time in Patent Office

1,489 Days
Field of Search

713/150, 713/153, 713/200, 713/201
US Class Current

713/150
CPC Class Codes

H04L 63/0281 Proxies

H04L 69/40 for recovering from a failu...

System and method for increasing the resiliency of firewall systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for increasing the resiliency of firewall systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links