Anti-virus giant McAfee has been granted a patent on what could turn out to be a useful and lucrative piece of intellectual property.
Submitted to the US Patent and Trademark Authority as long ago as February 2002 with the humble-sounding name patent 6,839,852 , firewall system and method with network mapping capabilities", the innovation will give the company the ability to relate security “traffic events” in a firewall to their source. This could be done using something as intuitive as a global or national map.
The idea has a number of applications, including the fairly straightforward one of traffic monitoring. But it would also, potentially, give an administrator or user the ability to track geographical attack sources in real-time without the need for a deeper investigation or expertise.
Firewalls can provide IP address information for non-spoofed addresses and give basic data on the segments traffic travelled across using a traceroute, but extracting useful information from this in a timely fashion can be difficult. Integrated within a firewall, the new patent wouldn’t on its own guarantee that the event could be traced but it would make it harder for an attacker to hide the origins of an attempted hack. At least this is the theory.
Vincent Rossi, a McAfee senior vice president of product management, spelled out the company’s motivation for submitting the patent. "With this technology, McAfee customers can illustratively ascertain the geographic origin of potentially malicious traffic events," he said in the rather sparse press release. This doesn’t sound like the kind of sentence that could (as is sometimes the case) be dreamed up by a PR or marketing department, so we can assume he actually did say it. It has an encouraging ring of confidence and certainty about it.
So it was strange that, when contacted, McAfee said Rossi was not able to comment further on the subject. We would have liked to have asked him abut how and when his company planned to exploit the patent, and whether it would license it to other companies. It would also have been interesting to hear an explanation of how it actually worked given the ease with which it is possible to avoid its traps in any current implementation of IP.
The best we can do, therefore, is to quote a rather opaque chapter from documentation supporting the patent application itself, which re-states its inspiration. “Often information of interest when analyzing such events includes a source of an attempt to access the protected device, and the network segments that were traversed to access the protected device. Unfortunately, typical personal firewalls merely list IP address associated with the source of the attempts and possibly names of network segments. This alphanumeric listing approach is cumbersome and fails to convey the information of interest intuitively.”
It seems more likely that McAfee has registered the patent to tie up an interesting and potentially important idea before the underlying technology to make it work has been thought through. One prominent US-based network expert we contacted (who used to work at McAfee) wished to remain anonymous, but offered us the following thoughts.
“It is mostly focused on the aspects of mapping and visualizing traffic events, and does not cover any specifics of a novel tracing methodology. It looks like some combination of event logs and trace-routing, which is then displayed graphically - some of the individual components of the patent have been referenced well before this patent was filed.”
Whether it works or not, firewalls with the ability to map security incursions in real-time against a map showing a point of origin, is a compelling idea. It might or might now be feasible under current technology – we suspect not - but why shouldn’t admins dream?
Meanwhile, we’ll go and recover from the shock of an almost unprecedented event in the recent history of the computing industry – a company that doesn’t wish to hype its new technology. We haven’t heard the last of patent 6,839,852 one suspects.