1. Field of the Invention
The present invention relates to a method for high speed discrimination of security policy in a packet filtering type firewall system by reducing delay time required for policy discrimination for incoming packets to improve performance of a network, and more particularly to a method for high speed discrimination of policy in the packet filtering type firewall system by discriminating one of the policies set by a user at high speed for each of all the TCP/IP packets incoming to a firewall. Also, the present invention relates to a method for high speed discrimination of policy in a firewall system that can maintain high speed performance using a firewall based on a high speed traffic policy distinction algorithm regardless of the number of policies set by a user and the number of currently connected sessions.
2. Discussion of the Related Art
Generally, a firewall located in a traffic concentrated point between a network to be protected and an unreliable network is a major technology for a network security solution that examines all traffics between the two networks in light of policies set by a user so that traffics contrary to the policies are filtered but traffics coincident with the policies are selected and passed.
Recently, various kinds of more intellectual hacking technologies have been generalized so that anyone can abuse them. For this reason, hacking damage is on an increasing trend geometrically. In this respect, for secure networking, a firewall is essentially required in networks in corporations, organized groups, educational institutions, and the like.
However, installation of the firewall causes some problems. One of the problems is that network performance may be deteriorated according to deterioration of traffic speed due to installation of the firewall. Another problem is that the firewall cannot actively conform to variable network environments since the firewall is a passive system that performs a function designated by a communication program operator. Among the problems, firewall users particularly suffer difficulty from deterioration of network performance. Performance of the firewall cannot keep up with growth of speed of Internet traffics, which are even doubled in just several months.
A prior art firewall system includes a proxy access mode and a packet filtering mode. The proxy access mode cuts off direct access of users in a traffic concentrated point and applies polices based on information of the users and information of receiving parties. The proxy access mode has low performance because it intercepts every access from users to direct the network session by proxy. And, it requires delay time for policy discrimination. Also, since the proxy access mode occupies many system resources whenever session is generated, the number of concurrently connectable sessions is very low.
On the other hand, the packet-filtering mode examines all packets between the two networks in the traffic concentration point in light of the policies one by one so that it performs filtering and passing actions on every packet. In this case, the packet-filtering mode has more preferable performance than the proxy access mode, since a separate program is not required in this mode of firewall system and sessions are not cut off for redirection by proxy. Recently, most of the network communication traffics are processed by the packet-filtering mode while some special communication modes are processed by the proxy access mode.
However, the firewall system adapting a packet-filtering mode fails to completely process growing amount of Internet traffics, which are rapidly increased recently, even though it is superior to the proxy access mode in performance. This is caused by delay time generated when all packets are examined in light of set of policies one by one. More than 80% of deterioration in performance of the firewall system based on the packet filtering mode is due to delay time required for policy discrimination.
Therefore, in order to improve performance of network, it is necessary to reduce delay time required for discriminating policy on a packet. Prior art technologies for policy discrimination for packet can be classified as follows.
First, as a simplest type, selected data fields of each packet are extracted as shown in FIG. 1 and all policies set by a user are sequentially inspected one by one to find out the congruent policies with extracted data. In this case, if the number of the policies is 100, average deterioration in performance reaches more than 50 times as compared with a case having one policy. That is, if the number of policies or the number of currently connected sessions increases, distinction work of the whole packets consumes long-time, thereby resulting in deterioration of network performance.
Second, as shown in FIG. 2, the possible changes of every packet data are tabled, and a table corresponding to an input packet is directly searched. In this case, since it is possible to find a corresponding policy by one time calculation after extracting each packet data, policy discrimination can be performed regardless of the number of policies and the number of concurrently connected sessions. Since an amount of data in a packet required for policy discrimination on the packet is 112 bits, the number of all possible cases reaches a value of 2112, i.e., 5,192,296,858,534,827,628,530,496,329,220,110. Accordingly, it is impossible to constitute a table having such a size in a memory of a system.
Third, since it is likely that same types of packets transmitted in groups, inspection of a first type is performed for a new first packet so that the corresponding packet data is stored in a designated memory together with a discriminated policy number. From a second packet, it is inspected whether there exist same type of packets in a designated memory. If so, the second packet is discriminated to obey the policy corresponding to the policy number stored with the matched packet in the designated memory. In this case, performance of the firewall system is determined depending on how many different types of the sessions are currently connected. This is because that if many different types of the sessions are connected simultaneously, the probability that same types of packets are transmitted in groups is rapidly reduced.
Fourth, there is provided a method in which IP address may be retrieved bit by bit in such a manner as Compressed Multibit Trie Algorithm. However, since various policies cannot be supported in this method, there are some problems in commercially using the method in the firewall system.
Because of the above-mentioned problems, similar types as the third method and their modifications can support high speed performance to some extent. However, the performance of this method is affected by the number of concurrently connected sessions. As a simple example, suppose that system that can process 50000 packets per a second is requested 2000 sessions simultaneously. In this case, 2000 new sessions are processed within 1 second and packets are processed at a speed of 50000 packets per a second during the remaining time after completion of the 2000 new session processes. If the required time for inspection of one policy is 1 microsecond and the number of policies is 200, average 100 policies per one session should be inspected. In this case, 100 microseconds per one session will be required. Thus, the required time for 2000 accesses is 200 miliseconds. In this case, the number of packets that can be processed per 1 second is reduced to 42000 packets, thereby resulting in deterioration of performance about 20%. Accordingly, under the user environment that requests a firewall system of high performance, it is necessary to minimize the required time for policy discrimination.