Packet-based data networks continue to grow in importance, and it is often desirable to implement real-time security monitoring for network traffic associated with these packet-based networks. In addition, it is often desirable to apply a variety of different security tests to the packet traffic within the packet network communication system. To meet these various security monitoring and test needs, many network communication systems serially scan packets using multiple in-line network security tools prior to deeming input packets safe or secure enough to be forwarded on to network destinations. For these prior solutions, input packets from network sources are sent through a series of in-line network security tools prior to being forwarding on as secure or safe packets to network destinations.
FIG. 1 (Prior Art) is a block diagram of an example embodiment 100 for a network communication system including a network packet forwarding system 110 that serially forwards incoming network packets 104 from network packet sources 102 through a series of in-line security tools (TOOL1, TOOL2, TOOL3) 112, 114, and 116 before providing secure network packets 106 to network packet destinations 108. In particular, when each input packet is received, the packet forwarding system 110 forwards the input packet to a first security tool (TOOL 1) 112 as indicated by arrow 120. The first security tool 112 processes the packet according to its internal security processing procedures and returns the packet to the network packet forwarding system 110 as indicated by arrow 122, assuming that the packet is not blocked or dropped by the first security tool 112, for example, because it has been deemed an insecure packet by the first security tool 112. The packet forwarding system 110 then forwards the input packet to a second security tool (TOOL 2) 114 as indicated by arrow 124. Similar to the first security tool 112, the second security tool 114 processes the packet according to its internal security processing procedures and returns the packet to the network packet forwarding system 110 as indicated by arrow 126, assuming again that the packet is not blocked or dropped by the second security tool 114, for example, because it has been deemed an insecure packet by the second security tool 114. The packet forwarding system 110 then forwards the input packet to a third security tool (TOOL 3) 116 as indicated by arrow 128. Similar to the other security tools 112 and 114, the third security tool 116 processes the packet according to its internal security processing procedures and returns the packet to the network packet forwarding system 110 as indicated by arrow 130, assuming again that the packet is not blocked or dropped by the third security tool 116, for example, because it has been deemed an insecure packet by the third security tool 116. After the last security tool 116 returns the packet, the network packet forwarding system 110 forwards the packet as a secure network packet to one or more of the network packet destinations 108.
Thus, for the example embodiment 100 that includes three security tools, a series of six communications 120, 122, 124, 126, 128, and 130 are used to pass each input packet in sequence to the different security tools 112, 114, and 116 for processing. The overall latency for this security processing, therefore, is the sum of the individual processing latencies for the security tools 112, 114, and 116 plus the latencies for four processing hops through the network packet forwarding system 110 itself as represented by dashed lines 132, 134, 136, and 138. This latency can become significant, depending upon the combined latencies of the different security tools, particularly where the number and/or complexity of the security tools is increased for a particular network communication system.