Network protocols are designed to facilitate communication between network devices through an open exchange of data. While the open exchange of data greatly enhances the use of network devices to accomplish tasks, it also creates problems because network protocols are not designed for, and generally do not provide, network security. Computers coupled to both public and private networks, such as Local Area Networks (LANs), Wide Area Networks (WANs), intranets, and the Internet are susceptible to malicious attacks perpetrated by other network devices coupled either directly or indirectly to the network. Such malicious attacks include theft of data, Denial of Service (DOS) attacks, the proliferation of computer viruses, and the like.
Various methods have been developed to protect network devices against malicious attacks usually through implementation of one or more network policies. One network policy is a security policy such as provided for by the Internet Protocol Security (IPSec) Suite. The IPSec suite provides protocols such as Encapsulating Security Protocol (ESP), Authentication Header (AH), and Internet Key Exchange and Management (IKE) protocol. The ESP protocol, documented in Internet Engineering Task Force (IETF) Request for Comments (RFC) 2406, is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide integrity, source authentication, and confidentiality of data. The AH protocol, documented in IETF RFC 2402, is an authentication protocol that uses a hash signature in the packet header to validate the integrity of the packet data and authenticity of the sender.
The IKE protocol, documented in IETF RFC 2409, provides a method for network devices to negotiate security settings used with the AH and ESP formats. The negotiated security settings form a data structure called a security association (SA). The SA defines parameters such as the authentication algorithm, encryption algorithm, keys, and the lifetime of keys, used by ESP or AH to protect the contents of the IP packet. Because ESP and AH require an established SA, an IKE negotiation is executed before the ESP or AH protocols are used to transmit data.
A network device identifies packets that are subject to IPSec, e.g. IKE, AH, or ESP, processing and the manner that such packets should be IPSec processed based on a security policy maintained in a Security Policy Database (SPD). The security policy is a set of rules assigned to the network device that defines how to use IPSec. The security policy includes filter lists, authentication methods and other information. The proper security policy to be applied to a packet is usually determined based upon the packet's source and destination IP address, source and destination ports, and protocol type.
Another network policy used to protect against malicious attacks is a firewall policy. The firewall policy is implemented by one or more filters. Each filter includes filter parameters and associated policy to be applied to packets that match the filter parameters. The filter parameters include information such as hardware addresses, e.g. Media Access Control (MAC) addresses, network addresses, e.g., IP addresses, protocol type, e.g. Transport Control Protocol (TCP), port numbers, and the like. The firewall policy in the filter identifies how packets with parameters that match the filter parameters should be treated. As a specific example, the filter includes as its parameters a Uniform Resource Locator (URL) address, e.g. “http://www.foo.com.” The filter policy indicates that packets with that URL address should be dropped. Whenever the network device examines a packet and through that examination identifies the URL address “http://www.foo.com” as embedded in the packet, the network device drops the packet thereby preventing it from traversing the network.
Network devices also use non-security related policies to control the flow of network traffic. As one example, network devices implement Quality of Service (QOS) based policy. QOS addresses the fact that transmission rates, error rates, and other characteristics can be measured, improved, and to some extent guaranteed in advance. Packets can be expedited based on policy and reservation criteria. QOS is used, for example, to allocate network bandwidth for improved communications between network devices.
It is not uncommon for multiple policies, e.g. security policy, firewall policy, QOS policy, and the like to be implemented in a network device. These policies may conflict, i.e. identify contradictory actions to take on the same packet. Implementing multiple network policies in a network device also makes it difficult to diagnose packet transmission problems. For example, if packets are not being properly transmitted or received, it is difficult to identify which of the network policies is interfering with the packets.