Enterprises have become increasingly dependent on computer network infrastructures to provide services and accomplish mission-critical tasks. Indeed, the performance, security, and efficiency of these network infrastructures have become critical as enterprises increase their reliance on distributed computing environments and wide area computer networks. To that end, a variety of network devices have been created to provide data gathering, reporting, and/or operational functions, such as firewalls, gateways, packet capture devices, bandwidth management devices, application traffic monitoring devices, and the like. For example, the TCP/IP protocol suite, which is widely implemented throughout the world-wide data communications network environment called the Internet and many wide and local area networks, omits any explicit supervisory function over the rate of data transport over the various devices that comprise the network. While there are certain perceived advantages, this characteristic has the consequence of juxtaposing very high-speed packets and very low-speed packets in potential conflict and produces certain inefficiencies. Certain loading conditions degrade performance of networked applications and can even cause instabilities which could lead to overloads that could stop data transfer temporarily.
To facilitate monitoring, management and control of network environments, a variety of network devices, applications, technologies and services have been developed. For example, certain data flow rate control mechanisms have been developed to provide a means to control and optimize efficiency of data transfer as well as allocate available bandwidth among a variety of business enterprise functionalities. For example, U.S. Pat. No. 6,038,216 discloses a method for explicit data rate control in a packet-based network environment without data rate supervision. Data rate control directly moderates the rate of data transmission from a sending host, resulting in just-in-time data transmission to control inbound traffic and reduce the inefficiencies associated with dropped packets. Bandwidth management devices allow for explicit data rate control for flows associated with a particular traffic classification. For example, U.S. Pat. No. 6,412,000, above, discloses automatic classification of network traffic for use in connection with bandwidth allocation mechanisms. U.S. Pat. No. 6,046,980 discloses systems and methods allowing for application layer control of bandwidth utilization in packet-based computer networks. For example, bandwidth management devices allow network administrators to specify policies operative to control and/or prioritize the bandwidth allocated to individual data flows according to traffic classifications. In addition, certain bandwidth management devices, as well as certain routers, allow network administrators to specify aggregate bandwidth utilization controls to divide available bandwidth into partitions. With some network devices, these partitions can be configured to provide a minimum bandwidth guarantee, and/or cap bandwidth, as to a particular class of traffic. An administrator specifies a traffic class (such as FTP data, or data flows involving a specific user or network application) and the size of the reserved virtual link—i.e., minimum guaranteed bandwidth and/or maximum bandwidth. Such partitions can be applied on a per-application basis (protecting and/or capping bandwidth for all traffic associated with an application) or a per-user basis (controlling, prioritizing, protecting and/or capping bandwidth for a particular user). In addition, certain bandwidth management devices allow administrators to define a partition hierarchy by configuring one or more partitions dividing the access link and further dividing the parent partitions into one or more child partitions. Furthermore, network security is another concern, such as the detection of computer viruses, as well as prevention of Denial-of-Service (DoS) attacks on, or unauthorized access to, enterprise networks. Accordingly, firewalls and other network devices are deployed at the edge of such networks to filter packets and perform various operations in response to a security threat. In addition, packet capture and other network data gathering devices are often deployed at the edge of, as well as at other strategic points in, a network to allow network administrators to monitor network conditions.
While the systems and methods discussed above that incorporate or utilize traffic classification mechanisms operate effectively for their intended purposes, they possess certain limitations. As discussed more fully below, identification of traffic types associated with data flows traversing a network generally involves the application of matching criteria or rules to explicitly presented or readily discoverable attributes of individual packets, or groups of packets, against an application signature which may comprise a protocol identifier (e.g., TCP, HTTP, UDP, MIME types, etc.), a port number, and even an application-specific string of text in the payload of a packet. Indeed, the rich Layer 7 classification functionality of Packetshaper® bandwidth management devices offered by Packeteer®, Inc. of Cupertino, Calif. is an attractive feature for network administrators, as it allows for accurate identification of a variety of application types.
An increasing number of network applications, however, employ data compression, encryption technology, and/or proprietary protocols that obscure or prevent identification of various application-specific attributes, often leaving well-known port numbers as the only basis for classification. In fact, as networked applications become increasingly complex, data encryption and/or compression has become a touted security or optimization feature. Indeed, data encryption addresses the concern of security and privacy issues, but it also makes it much more difficult for intermediate network devices to identify the applications that employ them. In addition, traffic classification based solely on well-known port numbers can be problematic, especially where a network application uses dynamic port number assignments or incorrectly uses a well-known port number, leading to misclassification of the data flows. In addition, classifying such encrypted network traffic as unknown (or encrypted) and applying a particular rate or admission policy to unknown traffic classes undermines the granular control otherwise provided by bandwidth management devices and, further, may cause legitimate, encrypted traffic to suffer as a result.
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of message transmission on the Internet. Other encryption technologies exist as well. For example, the Transport Layer Security (TLS) protocol, which is based on the SSL protocol, has recently emerged as a possible successor to the SSL protocol. The TLS protocol is described by Dierks Et Allen, “The TLS Protocol Version 1.0,” IETF RFC 2246, http://www.ietf.org/rfc/rfc2246.txt (1999), which is incorporated by reference herein. The SSL protocol uses a program layer logically located between the Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP. It uses TCP/IP on behalf of the higher-level protocols, and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection. SSL has been incorporated into a variety of network-based applications, such as web-browsers, enterprise software applications, and recreational applications, such as peer-to-peer file sharing applications. The “sockets” part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network. SSL uses public-and-private key encryption, as well as digital certificates. TLS and SSL are an integral part of most Web browsers (clients) and Web servers. If a Web site is on a server that supports SSL, SSL can be enabled and specific Web pages can be identified as requiring SSL access.
The SSL protocol uses a combination of public-key and symmetric key encryption. The SSL protocol includes two sub-protocols: the SSL record protocol and the SSL handshake protocol. The SSL record protocol defines the format used to transmit data, while the SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection. An SSL session always begins with an exchange of messages called the SSL handshake. The SSL handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for encryption, decryption, and tamper detection during the ensuing SSL session. Optionally, the handshake also allows the client to authenticate itself to the server.
The increasing adoption of SSL, TLS and other similar encryption protocols presents certain problems to network devices that employ classification mechanisms to monitor and/or manage network traffic. For example, while the network traffic can be classified as SSL or TLS traffic, sub-classification of such network traffic is problematic as the encryption mechanisms associated with these protocols obscure the higher layer information in the packets and, thus, may prevent further classification into a specific network application or other traffic class. The increasing adoption of such encryption mechanisms is problematic to rich, granular traffic classification mechanisms that are configured, for example, to monitor, or manage, the performance of network applications.
In light of the foregoing, a need in the art exists for methods, apparatuses and systems that facilitate the classification of encrypted network traffic. Embodiments of the present invention substantially fulfill this need.