Increased usage of communication networks, particularly packet-switched networks such as the Internet, has increased the need for more effective network security. Thus, as the amount of potentially valuable information conveyed via communication networks increases, the incentive for unauthorized persons to expose this information increases.
There are many well-known techniques for compromising the security of a packet-switched communication network or network communication device such as, for example, a network processor, an application specific integrated circuit (ASIC), etc. One well-known technique is commonly referred to as a denial of service (DOS) attack. A DOS attack can be implemented and launched in a number of different manners. For example, Internet protocol (IP) source address spoofing, SYN packet flooding, UDP flooding, ICMP echo reply, ICMP flooding and sequence number attacks are several well-known types of DOS attacks. Each of these known DOS attacks can be detected, uniquely identified and overcome to prevent a compromise of network security, as long as the device or devices detecting, identifying and responding to the attack are capable of quickly executing an appropriate response algorithm.
Typically, a network, which may include a plurality of coupled general purpose processors, network processors and/or ASICs uses one or more of these devices to carry out responses or countermeasures to network security attacks. For example, the responses or countermeasures may include executing algorithms that detect, identify and respond to particular types of DOS attacks. ASICs are highly customized devices that typically perform a single predetermined algorithm and, thus, can be used to rapidly and effectively respond to a DOS attack or some other type of network security attack. Unfortunately, ASICs are static in nature and are typically only capable of executing a relatively limited number predetermined security countermeasure algorithms that are encoded within the ASICs at the time of their manufacture or configuration. As a result, if an ASIC is subjected to a DOS attack or any other type of network security attack for which the ASIC does not have a responsive algorithm, the ASIC will be unable to effectively respond to the attack to prevent a compromise of network security.
In contrast to ASICs, network processors are programmable and, as a result, the security algorithm executed by a network processor can be modified prior to run-time (i.e., the time during which the network processor is executing software) by downloading appropriate software into the network processor prior to run-time. Traditionally, development of an effective response to a network security attack has required programmers to develop network security software that is specifically adapted to be loaded and executed within the fast path packet processing portion (i.e., the fast path hardware) of the network processor. Unfortunately, the software instruction set available for execution within the fast path hardware of network processors is typically relatively limited. Additionally, the fast path processing portion of a network processor typically provides relatively limited memory space (i.e., a code store) for instructions. As a result, the complexity and size of programs that can be loaded and executed within the fast path hardware of a network processor is somewhat limited. Consequently, programmers typically select a single network security algorithm for downloading and execution within the fast path of a network processor. Thus, the security measure or the algorithm responsive to a network security attack used within a network processor is static (i.e., cannot be changed during run-time) and typically cannot respond to more than one type of network security attack.
Furthermore, while an operating system can be used to selectively manage the execution of multiple applications or processes, known network processors do not employ conventional operating systems because a conventional operating system would compromise the speed at which the network processor could execute its security algorithms. Thus, in practice, network processors are also static in nature (i.e., they are typically programmed to respond to a single type of network security threat) and the security algorithm executed by a network processor typically cannot be changed during run-time.