This invention relates to proxy systems, and more particularly, to one-way proxy systems that allow an analyzer application to perform operations on data traffic flowing in one direction between transport control protocol endpoints in a network.
Transport control protocol (TCP) is a protocol used to support data communications. TCP supports two unidirectional data traffic streams. A TCP session involves transmission and reception of data traffic between two respective TCP endpoints. At each TCP endpoint an application is run on top of the TCP session. These applications provide TCP data to be sent and consume TCP data that is received. As an example, there may be an internet browser application at a TCP endpoint that communicates with a web server application at another TCP endpoint.
The TCP protocol is a reliable connection-oriented transport protocol that supports features such as in-order delivery of bytes and flow control. Each TCP endpoint in a session provides these properties.
Sometimes there is a need to insert software such as a stateful firewall, a content filtering package, or a virus scanner in a TCP stream. For example, an organization may desire to scan traffic for computer viruses. Traditionally, a proxy server solution is used in these situations. A network element is placed in the path of the TCP session (e.g., at the edge of the organization's network). The network element is used to implement a proxy server system that has two proxy points. The virus scanner or other software is run as an application between the two proxy points.
Conventional proxy server arrangements such as these break the original TCP session into two independent TCP sessions. A first TCP session runs between the first original TCP endpoint and the first proxy point. A second TCP session runs between the second proxy point and the second original TCP endpoint. With this architecture, complete TCP processing is required for each of the two TCP sessions, even when it is only desired to process traffic in one direction.
The need to perform complete TCP processing for both TCP sessions adversely affects the performance of the network element, as reflected in performance metrics such as overall throughput and the number of sessions that can be created per unit time. Conventional proxy server arrangements are also not able to provide fail close support. When a conventional network element switches into hardware bypass mode upon detecting a failure, the existing TCP sessions cannot survive.
It is therefore an object of the present invention to provide a one-way proxy architecture that processes TCP traffic between TCP endpoints more efficiently and reliably than conventional two-way proxy server architectures.