A Firewall Network System for Worm Defense in Enterprise Networks

From a security point of view, the Internet is too open. The central idea of a traditional “firewall” is to constrain service requests from the Internet to a local network. As an enterprise network becomes larger and more flexible, an Internet worm can easily find a way to enter it. Based on the “defense-in-depth” principle, we present a “Firewall Network System” for worm defense in an enterprise network that uses internal firewalls to divide the network into many isolated subnetworks. Computers in an enterprise network are classified as either clients or servers: all service requests sent to internal IP addresses of an enterprise network will be blocked by internal firewalls if they target non-server computers or servers that do not provide the corresponding service. In this way, the Firewall Network System removes most worm infection paths in an enterprise network, making worm detection much easier. All internal firewalls are designed to have the same set of firewall rules, which means the Firewall Network System is scalable and easily managed. In addition, we propose a five-level feedback worm defense strategy and present models of several worm defenses based on either active patching or quarantine.