As enterprises support more and more servers and virtual machines in their networks, there is an increasing need for the scalability of network security gateways. Traditional network security gateways process all packets using hardware within a single physical chassis. While this implementation allows for an easier implementation, it puts sever limits on how network administrators utilize their networks. All the traffic that requires security inspection must be forwarded to the centralized physical chassis or hardware for processing, and then be sent back, thereby increasing transport latency and management complexity. There are some implementations using multiple, yet independent, hardware to process network security, but these implementations keeps state information on each hardware separate from each other, which prevents its use in many scenarios that require all the state information to be centrally located or assessable.
In the prior art, the security gateways typically run independently. If a host or virtual machine moves to a different location where is behind a different security gateway, the session information of current connections are lost and the security processing is interrupted. The interruption may cause security vulnerability or down time of the connection.
Some security gateways implement session synchronization between two or more gateways for redundancy purposes to support high availability. The session synchronization process repeatedly copies the session information to the gateways being synchronized. The gateways receiving the session information keep the session information as a passive backup, and only use the session information when the fail-over is needed. This mechanism requires the synchronization applies to all connections throughout the life cycle of the connections. If fail over never occurs, the session synchronization process wastes bandwidth and storage since the backup is not used for packet processing. If the number of session gateways is large, then the use of session synchronization is not practical for dynamic session migration since the size of memory and bandwidth used for storing the backup becomes too large.