Generally, modern networks are set up with proxy devices, such as firewalls, to apply policy decisions to the traffic that flows across a network boundary. In order to apply these policy decisions, the firewalls may inspect the network traffic, making a shallow inspection by only viewing packet headers, or performing deep packet inspection by viewing the underlying packet data. With unsecured network transmissions it is possible for the firewalls to immediately view the network packets in their entirety, and therefore, the firewalls are able to apply policy decisions to network traffic prior to allowing any portion of the messages through the firewall.
As more network traffic is being sent securely (e.g., using encryption techniques), it is no longer possible for the firewall to view the network traffic in its entirety without first decrypting the messages. Additionally, in certain encryption protocols, a firewall is not be able to determine even basic information, such as the desired uniform resource locator (URL) for the message, without decrypting the message. In order to complete the decryption process, the firewall will often need to allow certain messages or a limited number of packets, for example, to pass through the firewall before any policy decision is applied to the traffic. Decryption of network traffic at the firewall requires resource intensive operations to be performed by the firewall. Furthermore, since networks are used for carrying traffic for sensitive transactions such as financial transactions, rules and regulations are being put into place which restrict firewalls from decrypting certain sensitive traffic.