Design Philosophy

The Corprotect Firewall is designed to be verified for correctness as a whole or at a component level. This appears to be a fairly novel approach for a network firewall, as many existing firewall systems rely on software that is "known to be good" or that is considered trustworthy because it has been used extensively for a long time. One problem with the "known to be good" approach is that historically it hasn't been very reliable. Certain software components such as mailers are frequently exploited in break-ins, no matter how carefully they are maintained. Problem programs are often complex pieces of software, often implemented in several tens of thousands of lines of code, which require system privileges in order to operate. As a step towards addressing this, the Corprotect Firewall is designed to operate along the basic design principles that:

• Even if there is a bug in the implementation of a network service, it should not be able to compromise the system.
• Hosts on the untrusted network should not be able to connect directly to network services that are running with privileges.
• Network services should be implemented with a minimum of features and complexity. The source code should be simple enough to be reviewed thoroughly and quickly.
• There should be a reasonable way of testing the correctness of the system.

These design principles can be effectively applied to any network firewall architecture.

The Corprotect Firewall is designed to support users who want to implement firewalls based on the "that which is not expressly permitted is denied" approach. Generally, when building such a firewall, it is important to have good tools to provide access control and secure service for the few services that are provided. The software components of the Corprotect Firewall implement security for the most commonly used network services.