Devices such as firewalls are sometimes used to prevent users from accessing resources to which they are not authorized. As an example, members of the public may be entitled to access content served by a web server, but not authorized to access other services available on the server such as administrative tools. In another example, employees of a company may be entitled to access certain websites or certain classes of websites while other websites or other classes of websites may be prohibited for all employees. Firewalls and other security devices typically enforce policies against network transmissions based on a set of rules.
Traditional security devices are implemented as a monolithic device provided with multiple processors for handling the incoming data streams. Such security devices often implement a centralized control scheme where one processor is designated as the management processor. Incoming data packets are often broadcast to all processors in the security device and the processors cooperate with each other, through software messaging, to determine which processor should take ownership of handling incoming data packets belonging to one or more flows. However, the centralized control scheme is not scalable to handle an increased number of data packets.
Furthermore, in a security device implemented as a distributed system, management of flow assignment needs to take into consideration different types of data traffic, including data traffic that may belong to related data connections, to ensure effective security policy enforcement across the many independent computing resources that handle the data traffic.
Finally, to implement complex security policies, a firewall needs to keep track of many independent and random events and correlate the events for policy enforcement. Firewalls or other security devices typically maintain event statistics using counters which are updated rapidly to effectively examine network traffic as the traffic is being communicated. Maintaining event statistics becomes challenging when the security device is implemented as a distributed system where events have to be detected and tracked across many independent computing resources. One method to maintain event statistics in a distributed computing environment is to rely on software to send messages between all the computing resources and try to keep synchronized copies of the event data. Such a software solution has undesirable performance and does not scale well.