« PreviousContinue »
SECURITY UPDATE POLICY (DOWNLOADED OR IMAGED) |
APPLIED ON THE MACHINE TO ALLOW ONLY CERTAIN APPLICATIONS RESIDENT ON THE MACHINE TO CONNECT TO SPECIFIC SECURITY-RELEVANT SITES SPECIFIED IN SECURITY UPDATE POLICY (PRE-ACCESS RESTRICTED ZONE)
ONCE MACHINE HAS COMPLIED WITH SECURITY UPDATE POLICY, RESTRICTED ZONE IS LIFTED AND MACHINE MAY PARTICIPATE IN GENERAL INTERNET CONNECTIVITY (E.G., IN
ACCORDANCE WITH DEFAULT FIREWALL ACCESS RULES)
l K- 502 I REQUEST INTERCEPTED AND RE-DIRECTED TO TrueVector ‘ ENGINE
Truevector ENGINE DETERMINES THAT APPLICATION IS REQUESTING ACCESS TO INTERNET AND ATTEMPTS TO IDENTIFY PARTICULAR APPLICATION REQUESTING ACCESS
TrueVect0r ENGINE DETERMINES WHETHER OR NOT TO PERMIT
ACCESS BY THE PARTICULAR APPLICATION TO A PARTICULAR
IF THE PARTICULAR APPLICATION IS APPROVED FOR ACCESS,
APPLICATION IS PERMITTED TO ACCESS THE PARTICULAR SITE;
IF THE PARTICULAR APPLICATION IS NOT APPROVED FOR
ACCESS AT STEP 504, ACCESS IS BLOCKED
SYSTEM AND METHODOLOGY FOR PROTECTING NEW COMPUTERS BY APPLYING A PRECONFIGURED SECURITY UPDATE POLICY
CROSS REFERENCE TO RELATED APPLICATIONS
The present application is related to and claims the benefit of priority of the following comrnonly-owned, presentlypending provisional application(s): application Ser. No. 60/521,620, filed Jun. 7, 2004, entitled “System and Methodology for Protecting New Computers by Applying a Preconfigured Security Update Policy”, of which the present application is a non-provisional application thereof. The present application is related to the following comrnonly-owned, presently-pending application(s): application Ser. No. 09/944,057, filed Aug. 30, 2001, entitled “System Providing Internet Access Management with Router-based Policy Enforcement”; application Ser. No. 10/159,820, filed May 31, 2002, entitled “System and Methodology for Security Policy Arbitration”. The disclosures of each of the foregoing applications are hereby incorporated by reference in their entirety, including any appendices or attachments thereof, for
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
1. Field of the Invention
The present invention relates generally to systems and methods for maintaining security of computer systems connected to one or more networks (Local Area Networks or Wide Area Networks) and, more particularly, to a system and methodology for securing newly acquired computers from security breaches by applying a preconfigured or preset security update policy.
2. Description of the Background Art
The first computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or “LANs”. In both cases, maintaining security and controlling what infonnation a computer user could access was relatively simple because the overall computing enviromnent was limited and clearly defined.
In traditional computing networks, a desktop computer largely remained in a fixed location and was physically connected to a single local network (e.g., via Ethemet). More recently, however, an increasingly large number of business and individual users are using portable computing devices, such as laptop computers, that are moved frequently and that comiect into more than one network. For example, many users now have laptop computers that can be connected to networks at home, at work, and in numerous other locations.
Many users also have home computers that are remotely connected to various organizations from time to time through the Intemet. The number of computing devices, and the number of networks that these devices connect to, has increased dramatically in recent years.
In addition, various different types of comiections may be utilized to comiect to these different networks. A dial-up modem may be used for remote access to an ofiice network. Various types of wireless connectivity, including IEEE (Institute of Electrical and Electronics Engineers) 802.11 and Bluetooth, are also increasingly popular. Wireless networks often have a large number of different users. Moreover, connection to these networks is often very easy, as connection does not require a physical link. Wireless and other types of networks are frequently provided in cafes, airports, convention centers, and other public locations to enable mobile computer users to comiect to the Intemet. Increasingly, users are also using the Intemet to remotely comiect to a number of different systems and networks. Thus, it is becoming more common for users to comiect to a number of different networks from time to time through a number of different means.
One of the implications of this increasing number of devices occasionally connected to different networks is that traditional corporate firewall technologies are no longer effective. Traditional firewall products guard a boundary (or gateway) between a local network, such as a corporate network, and a larger network, such as the Internet. These products primarily regulate traffic between physical networks by establishing and enforcing rules that regulate access based upon the protocol and type of access request, the source requesting access, the connection port to be accessed, and other factors. For example, a firewall may permit access to a particular computer using TCP/IP on TCP port 80, but deny remote access to other computers on the network. A firewall may also permit access from a specific IP address or range (or zone) of IP addresses, but deny access from other addresses. Different security rules may be defined for different zones of addresses. However, traditional firewall technology guarding a network boundary does not protect against traffic that does not traverse that boundary. It does not regulate traffic between two devices within the network or two devices outside the network. A corporate firewall provides some degree of protection when a device is connected to that particular corporate network, but it provides no protection when the device is connected to other networks.
One security measure that has been utilized by many users is to install a personal firewall (or end point security) product on a computer system to control traffic into and out of the system. An end point security product can regulate all traffic into and out of a particular computing device. For example, an end point security product may expressly seek authorization from a user or administrator (or from a policy established by a user or administrator) for each network connection to or from a computing device, including comiections initiated from the device and those initiated from external sources. This enables a user or administrator to monitor what applications on a device are accessing other machines or networks (e.g., the Intemet). It also enforces security by obtaining authorization for each Intemet or network connection opened to (or from) the device, including connections initiated both internally and externally. In the home enviromnent, for instance, an end point security product enables a home user to monitor the applications he or she is using and enforces security by requiring his or her authorization for each connection. Typically, for comiections initiated from the device, a user may configure application pennission rules that pennit certain applications to comiect to one or more networks or
devices, such as a local area network (LAN) or a wide area network (WAN), such as the Intemet. These application permission rules may, for instance, permit a particular application, such as a Web browser program, to open connections to the Internet. A rule may also be configured to permit an application to access another computer on the same LAN, but prohibit this application from opening an Intemet cormection.
Despite the increasing use of end point security and antivirus products, issues remain. Consumers currently face a particular problem when buying a new computer. Because of restrictions during the manufacturing process (e.g., due to cost/overhead issues, licensing restrictions, etc.), computers today tend to be outdated in terms of security by the time consumers actually have an opportunity to purchase those computers. For example, computers are frequently sold to consumers with an antivirus program already installed. However, the antivirus program and/ or the virus definition files are typically out of date by the time the computer is actually received and placed into use by consumers. In order to update a computer for bringing it into compliance with current security updates, the user is required to connect the new computer to the Internet for accessing certain vendor sites, for example for obtaining the latest antivirus definition file. Since a number of manufacturers update hard disk images for their computer lines only once or twice a year, a user may need to not only update data files (e.g., virus definition files) but also completely update the underlying security software itself, such as updating the underlying antivirus software (engine). Manufacturers’ practice of amiual or semi-annual updating is highly problematic. In terms of protection for a computer, that practice translates into a security system that may be up to 12 months out of date by the time the system actually gets into consumer hands.
Even if a consumer does everything exactly right with a new computer (e.g., updating antivirus software and data files, updating firewall software, updating operating system software, patching any applications with known vulnerabilities, etc .), he or she is required to spend a considerable amount of time online in order to get the “new” machine to a point where its security system is no longer out of date. For example, a new virus software update (e.g., from Symantec or McAfee) can easily run 15-20 MB to download. A new operating system service pack update (e.g., from Microsoft) may require a 100+ MB download. All told, the present day approach to delivering new computers requires consumers to spend a considerable amount of time online with an outdated security system—that is, a system which may have a long list of known vulnerabilities that hackers constantly scan for. As a concrete example from the inventor’s own experience, a new notebook computer purchased while traveling was infected with the MS -Blast womi before even the brief task of downloading current firewall software (e.g., ZoneAlarm®, which is a fairly small download) could be completed.
To date, the only approach to addressing the foregoing is to preinstall antivirus and firewall/end point security software, as part of a computer’s manufacturer-provided hard disk image. However as outlined above, with the current approach of manufacturing hard disk images, the preinstalled software is out of date by the time it actually reaches consumers. Accordingly, the foregoing problem of an initial infection has continued to plague consumers. Further compounding the problem, once a new machine has sustained an initial affection, the malicious software (e.g., virus, worm, etc.) can sabotage the machine, thus preventing the user from getting required downloads in order to bring the computer’s security system up to date. In other words, the initial infection prolongs the user’s inability to get appropriate updates. Since
malicious software often tends to be poorly written, infected machines tend to be prone to crashing. Although the failure comes from the infection, users may instead blame the computer manufacturer for a defective device: they bought a brand new machine and it failed, therefore it must be a defective machine. This leads to increased support/warranty costs and product returns for manufacturers, even though the failures are not necessarily a result of manufacturing defects.
What is needed is a solution for protecting newly purchased computers from viruses, worms, and other malicious software. The solution should protect the computer when it is initially received by the user and should facilitate the process of obtaining required updates in order to bring the computer’ s security system up to date. The present invention provides a solution for these and other needs.
A system and methodology for protecting new computers by applying a preconfigured security update policy is described. In one embodiment, for example, a method of the present invention is described for controlling comiections to a computer upon its initial deployment, the method comprises steps of: upon initial deployment of the computer, applying a preconfigured security policy that establishes a restricted zone of preapproved hosts that the computer may comiect to upon its initial deployment; receiving a request for a comiection from the computer to a particular host; based on the preconfigured security policy, determining whether the particular host is within the restricted zone of preapproved hosts; and blocking the connection if the particular ho st is not within the restricted zone of preapproved hosts.
In another embodiment, for example, a computer system of the present invention that is preconfigured to control comiections upon initial deployment is described that comprises: a computer having a preconfigured security policy that establishes a restricted zone of preapproved hosts that the computer may comiect to upon initial deployment of the computer; a connectivity module for processing user requests for the computer to connect to a particular host; and a security module for determining whether the particular host is within the restricted zone of preapproved hosts based on the preconfigured security policy, and for blocking any attempt to connect to a host that is not within the restricted zone of preapproved hosts.
In yet another embodiment, for example, a method of the present invention is described for enforcing pre-access connectivity restrictions on a new machine, the method comprises steps of: detecting attempts to comiect the new machine to other devices; detennining, based on an initial security policy that establishes a restricted zone of acceptable comiections, which devices the new machine is permitted to comiect to; and blocking any connection that attempts to comiect the new machine to a device outside the restricted zone of acceptable comiections.
BRIEF DESCRIPTION OF DRAWINGS
FIG. 1 is a very general block diagram of a computer system (e.g., an IBM-compatible system) in which softwareimplemented processes of the present invention may be embodied.
FIG. 2 is a block diagram of a software system for controlling the operation of the computer system.
FIG. 3 is a block diagram of an enviromnent in which the present invention is preferably embodied.