A typical network firewall uses rules for processing network traffic to determine whether the network traffic should be allowed to pass through the firewall. The rules are applied to Internet Protocol (IP) addresses of the network traffic (e.g. destination, source, next/last hop, etc.) and indicate how network traffic exchanged with certain IP addresses should be handled. For instance, the rules may be configured to allow network traffic associated with certain IP addresses to pass through the firewall, deny passage through the firewall for network traffic associated with other IP addresses, or provide more specific directions for handling traffic to/from certain IP addresses.
Enforcement based on IP addresses in the manner described above works well when IP addresses remain constant. However, some network systems may be identified by high level identification strings rather than by the IP addresses of those network systems, which allows those IP addresses to change. Likewise, the network systems themselves may change over time, as new systems may be brought online and other systems may be taken offline. Thus, even if the firewall rules were properly configured to operate on traffic exchanged with one IP address associated with a high level identification string, the firewall rules may not be configured to properly operate on other IP addresses associated with that same string.
For example, when accessing a system over the internet, such as a web server providing website content, a domain name based web address acts as a high level identification string for the system. A domain name server (DNS) system is used to translate a web address, which is typically easy for a user to remember, into one or more IP addresses for one or more systems associated with that domain name. Thus, the systems and IP addresses can change over time and still be accessible via the domain name by simply keeping the DNS system up to date. A requesting system then uses one or more of those provided IP addresses to communicate with the systems associated with the domain name. Given the dynamic nature of those IP addresses, a firewall rule may not be configured to properly handle communication traffic exchanged using the various IP addresses that could be associated with the domain name (e.g. may be denied or allowed contrary to the intentions of a firewall administrator).