1. Field of the Invention
The invention relates in general to information based on which data packets are screened in a network node. It further relates to processing data packets in a network node based on such information.
2. Description of Related Art
The public Internet is presently being used more and more for sensitive and mission critical communications. Since the basic mechanisms of the Internet were originally not designed with secrecy and confidentiality in mind, the Internet is an untrusted network. Skilled individuals can in many cases eavesdrop or divert communications, which requires the use of different kinds of security measures in order to use the Internet for sensitive communications.
The local networks of various organizations and enterprises are nowadays connected to the public Internet. To protect a local network, special gateway is usually used to connect the local network to a public network. This special gateway is often called a firewall and the purpose of a firewall is to prevent authorized access to the local network. Typically there is need to restrict access to a local network from a public network and/or to restrict access from the local network to the public network or further networks connected to the public network. On data packet level this means that data packets, which are entering and/or exiting a local network, are screened or filtered in a firewall. In addition to filtering data packets a gateway element may secure data packets transmitted between, for example, certain local networks. In this case the gateway is both a firewall and a VPN (Virtual Private Network) gateway.
FIG. 1 illustrates an example with a first local network 12, a second local network 14 and a public network 10. The public network may be, for example, the Internet. The local networks 12, 14 are connected to the public network 10 via gateway entities 16 and 18, respectively. A gateway element 16, 18 may be implemented as one network node (server) or as a cluster of nodes. Term gateway element is used in this description to refer to a network node or to a cluster of network nodes, where data packet screening is typically performed and which connects at least two networks (each network having at least one network node) to each other. A gateway element may be, for example, a firewall node, a firewall node provided with VPN functionality or a cluster of such nodes.
The screening of data packets is usually done using information specifying at least allowed data packet headers and corresponding instructions for processing a data packet. This information is usually an ordered set of rules. FIG. 2 illustrates as an example a set 20 of rules, having a first rule Rule1, a second rule Rule2, and so forth. The order of the rules in the rule set typically defines the order in which a header of a data packet is compared to the rules. The instructions specified in the first rule, to which the header of a data packet matches, states the action to be carried out for said data packet. The rules are typically listed in a rule file in the order in which they are processed: a rule file thus typically comprises a sequence of rules Rule1, Rule2, . . . , RuleN. The rule file is typically stored in a gateway element, for example in gateway element 16.
A typical format for the rules is the following: header information, action. The header information typically involves source address (src), destination address (dst) and protocol (prot) relating to a data packet, and a rule typically has the following form: src, dst, prot, action. This means that for a data packet, which has the indicated header information, the indicated action is carried out. Typically the action is ‘drop’ or ‘accept’, which means the data packet is discarded or allowed to proceed, correspondingly. As a data packet is processed, its header information is compared to the header information indicated by the rules; the rules are processed in the order defined by the ordered set. Typically the last rule in the ordered set of rules (e.g. RuleN in FIG. 2) is of the following form: any, any, any, drop. This means a data packet, whose header information does not match the header information indicated in any of the preceding rules, is discarded.
A problem in having an ordered set of rules is that when, for example, a new rule is added to the ordered set of rules, the position of the new rule has to be determined with care. Otherwise the effect of the rule may be not the desired effect. To find a correct position for a new rule may be difficult especially as the list of rules in a rule file may comprise a vast number of rules. Furthermore, a packet is typically compared to large number of rules before the rule to which it matches is found. In the worst case, a packet is compared to all rules and then discarded on the basis of the very last rule. This results in inefficient use of processing resources in a gateway element.