Network protection devices (e.g., firewalls) implement rules with respect to packet-switched network traffic entering or leaving the networks they protect. Such devices compare the rules with the traffic. If a match is found, then the devices apply the actions associated with the rules to the traffic, e.g., the traffic may be allowed to cross the network boundary, or the traffic may be prevented from crossing the boundary. Such rules are often grouped into rule sets, which may form one or more network policies. As networks increase in complexity, the number of rules in a rule set may correspondingly increase. Similarly, the number of rules in a rule set may increase due to a desire on the part of an administrator to manage network traffic with a high level of granularity.
Network protection devices may require time to switch between rule sets. As rule sets increase in complexity, the time required for switching between them presents obstacles for effective implementation. For example, a network protection device may be unable to process network traffic while switching between rule sets due to the utilization of resources for implementing the new rule set. Additionally, while implementing a new rule set, a network protection device may continue processing packets in accordance with an outdated rule set. In certain circumstances (e.g., in the event of a network attack), such processing may exacerbate rather than mitigate the impetus for the rule set switch (e.g., the effect of the network attack).