1. Field of the Invention
The present invention relates to data communications. In particular, the present invention relates to firewall applications running within routers.
2. The Prior Art
Background
The ability to transport large amounts of critical data over a network in a reliable manner is of critical importance today. Applications such as streaming video, live audio, or teleconferencing all place high demands on networks such as the Internet. When a system carrying such data crashes, critical communications may be lost and users frustrated.
FIG. 1 shows an example of a prior art communications system. FIG. 1 shows a sender and a receiver connected to a network cloud. For purposes of this disclosure, the sender and receiver may be any standard electronic devices which desire to communicate through an electronic network such as the Internet, a Local Area Network (LAN), or a Wide Area Network (WAN).
To the end user, the operation of the system in FIG. 1 should be transparent and error free. For example, an end user (receiver) watching streaming video originating from a video server (sender) should never know what is taking place within the network cloud that makes the process possible.
FIG. 2 is a more detailed diagram of a prior art communications system. FIG. 2 expands on the detail of FIG. 1 by showing an example of communications occurring over a standard Internet connection. FIG. 2 includes a host and a server connected to a network cloud comprising a plurality of routers. In FIG. 2, the host wishes to transmit a packet P to the server. As is known by those of ordinary skill in the art, when the packet P arrives at router 1, the router 1 will encode the packet P with a unique identifier containing the source and destination addresses. Then router 1 will forward the packet P to the destination through other routers according to standard routing protocols. In this example, router 1 will forward packet P to router 4, which will then forward the packet P to the ultimate destination, which in our example here is the server.
One problem encountered in the prior art is how to ensure the reliability of the connection between the source and destination when one or more components or processes running within routers along the path of the packet fail.
FIG. 3 is a conceptual block diagram of a typical prior art router. A typical prior art router may have a plurality of input ports and a plurality of output ports connected through a switching fabric which forms the heart of the router. Routers will typically have a routing processor containing standard hardware and software, and may also contain a firewall application standard in the art as shown in FIG. 3.
In operation, when a packet appears at an input port such as input port 1 in FIG. 3, the firewall application will first examine the packet to see if the packet is safe to route through. If the packet is safe, then the routing processor will route the packet through the switching fabric to the appropriate output port, such as output port 1 as shown in FIG. 3.
As is known by those of ordinary skill in the art, the function of a firewall application is to protect the network from unauthorized access, and from problems such as broadcast storms. To accomplish this, firewall applications typically monitor packets passing through the router and block access to those packets deemed undesirable. Since all packets which flow through the router must necessarily pass through the firewall application, the firewall application must be able to understand the wide variety of protocols that are in use. Furthermore, since firewall applications may be programmed to block access to a particular address, the firewall application must also keep track of who is sending what packet to whom through the router.
During the process described in FIG. 3, various modules may be required to operate within the firewall application to attend to each individual connection.
Referring now to FIG. 4A, a diagram showing the organizational hierarchy for the various modules that may be running within the firewall is presented. As is known by those of ordinary skill in the art, for the firewall application to properly carry out its functions, it must use a data structure to represent the end-to-end connections that it must monitor. This connection data structure reflects the modular content of the firewall application and typically contains portions that are maintained by the various modules within the firewall application that which are responsible for their respective parts of the communication protocol.
For example, the transport level portion of the connection data structure contains transport-related states of the connection. The application level portion contains application-related states and context information. Thus, the composition of the connection data structure depends on the end-to-end application.
Consequently, in the example described above, the firewall application will need to know the source and destination address contained in the base layer, the level 4 protocol types such as TCP and UDP that the connection may be utilizing, and the level 7 protocols the connection may be utilizing, such as video conferencing or FTP. During the life span of each connection, a separate connection data structure will be created within the firewall application for each individual connection made through the router which contains critical information regarding each individual connection running through the router.
Referring now to FIG. 4B, a diagram showing how the connection data structure is stored by the firewall in the prior art is presented. FIG. 4B also shows a detail illustration of the firewall application memory space for connections 1 through n.
As shown by FIG. 4B, the firewall memory space contains data for each connection running on the router. During the lifespan of each connection, a separate data connection structure is created that contains data for the base layer for each connection, as well as data for each module that is running to service the connection.
However, the individual data for each module does not contain an indication therein regarding which individual connection the module is related to. Thus, the firewall application memory space contains separate but interrelated data with no indication of how the data is interrelated. In other words, while the connection data structure is being stored in manner suitable for a crash-free environment, it is not being stored in an organized and robust manner that may be reassembled should a failure occur.
As is known by those of ordinary skill in the art, the connection information contained in the firewall application's memory space is crucial to the proper operation of the router and firewall application. However, currently there is no method to safeguard this data in the event of a failure of the firewall application. Therefore, if a firewall application should crash, all of the information contained in the firewall application's memory space is lost, and the firewall application will lose track of all of the connections on the router, and all connections on the router will have to be rebuilt. Consequently, if a user is connected to a video server as in the above example, the streaming video will be lost should the firewall application crash.
Additionally, while the connection data structure may be stored and retrieved as a whole, this may not be possible or desirable where each component of the firewall application is configured in a modular fashion This may occur by way of example where each component of the firewall application is configured to checkpoint its own data structure independently of the other modules running within the firewall application.
Hence, there is a need for a system to preserve the connection data structure of a firewall application running within a router.
Also, there is a need for a method for recovering the connection data structure when a firewall application composed of independent modules crashes.
Also, there is a need for a method to recover the connection data structure when a firewall application crashes.
Furthermore, there is a need to satisfy the above needs in a manner that is transparent to the user.