Enterprise networks are threatened with a variety of security issues on a daily basis. These threats can be either internal or external. Internal threats range from break in attempts by disgruntled employees, virus or worms let loose by employees or just employee network access behavior deemed unacceptable per enterprise security policies. External threats range from dedicated attacks on the enterprise network in an attempt to steal intellectual property, denial of service attacks, unauthorized intrusions, viruses and worms etc. In all of these cases, a packet firewall is a network administrator's primary form of defense.
Packet firewalls sit inline with network traffic, intercept incoming packets, and verify each packet against a set of firewall rules to accept, reject and optionally log the packet. In addition to packet filtering, network administrators sometimes also use packet filters to enforce traffic management policies. Such policies are useful in limiting or controlling offensive behavior. Due to the fact that packet firewalls sit inline with and inspect all network traffic, it is important that the firewall should be able to provide sufficient network throughput to keep up with network traffic demands. In today's enterprise networks, firewall rules are typically limited to 2500 Cisco ACL (access control list) rules These rules are fairly specific, and are designed to allow or reject specific activities or hosts. The ACL rules are limited to this number for performance and manageability reasons. The number of rules directly affects router performance, hence these rules are maintained at a low number. Moreover, large number of rules also makes rules management more error-prone and difficult to verify or modify. In a large organization, the rules are distributed across firewalls in various sites, and adapted as necessary, increasing chances of an error. For these reasons, the number of rules must be maintained at a manageable level.
Under a typical advanced firewall implementation, two levels of filtering are employed. At the first level, filtering is performed based on applicable ACL rules. In this instance, a highest-priority rule corresponding to the ACL database is identified based on the packet header information. For example, the rule may be identified based on a five-tuple input corresponding to values for the source and destination addresses, source and destination ports, and protocol using well-known classification algorithms. Since many attacks (particularly denial of service attacks) will originate from a known source address using a particular port, packets corresponding to these attacks can be readily identified, and appropriate rules (e.g., drop packet) may be employed to effect a desired firewall policy. This first level of filtering can be implemented at line-rate speeds using modern networking equipment. Under some implementations, dedicated components or separate computers are employed for performing these filtering operations.
The second level of filtering relates to packet inspection. In this case, the actual packet payload is searched for a particular string or set of strings. For example, the firewall applications may need to search for certain strings indicative of a virus or Internet worm that is present in the packet. In addition, other non-security applications may likewise need to peek into the packet payload, such as for load balancing or billing purposes. These operations, known as “content inspection” or “(deep) packet inspection,” involve inspecting the packet payload for candidate patterns and taking actions based on the presence or absence of these patterns.
Under some firewall implementations, packet/content inspection is off-loaded to a separate application or sub-system that does not support line-rate speeds. For example, these operations may be performed by a separate computer host or embedded general-purpose processor coupled to or provided by a network device. Since the operations are not performed at line-rate (and thus not restricted to corresponding processing latencies), they can employ larger but slower, less-expensive memory (e.g., DRAM (dynamic random access memory)), and employ conventional string search techniques.
Network processors (also referred to as network processor units (NPUs)) are increasingly being used in a variety of networking equipment due to their cost effectiveness, processing speed, flexibility, and upgradeability. In constructing next-generation networking platforms, it is desirable that robust firewall functionality be added without requiring the addition of specialized firewall components, instead utilizing network processor technology and adding firewall functionality to NPU code in a reusable, scaleable fashion.
One of the key challenges in content/packet inspection concerns scanning for patterns that span multiple packets. Under a conventional approach using a dedicated firewall resource (e.g., a content inspection application running on a separate component or system), this problem is solved by simply buffering packet streams. The payload content of multiple packets are assembled into a single buffer (thus eliminating the packet boundaries) to form a copy of the data stream being transported, and an appropriate pattern-matching algorithm is employed to scan the data in the buffer for matches. While this technique requires no modifications to conventional pattern-matching algorithms, it imposes significant storage requirements. Furthermore, while this mechanism is relatively simple to implement in systems with small number of flows, it does not scale well for systems that need to support large number of flows simultaneously. Moreover, this technique is not amenable to use with network processors, and cannot be performed at line-rates when large numbers of simultaneous flows are to be supported.