The communications industry is rapidly changing to adjust to emerging technologies and ever increasing customer demand. This customer demand for new applications and increased performance of existing applications is driving communications network and system providers to employ networks and systems having greater speed and capacity (e.g., greater bandwidth). In trying to achieve these goals, a common approach taken by many communications providers is to use packet switching technology. Increasingly, public and private communications networks are being built and expanded using various packet technologies, such as Internet Protocol (IP). Note, nothing described or referenced in this document is admitted as prior art to this application unless explicitly so stated.
Firewalls are currently used in networks to protect malicious and innocuous traffic from reaching different portions of the network. These firewalls can be standalone appliances or incorporated in packet switching devices (e.g., routers, switches, etc.). In either case, prior art systems may use physical and/or virtual firewalls. A physical firewall has physical interfaces on which packets are received and sent from and then the firewall functionality which acts on these packets. A virtual firewall has virtual interfaces (e.g., buffers, memory locations, other data structures) in which packets are available for processing by the firewall functionality. In other words, packets are virtually received when made available on the virtual interface, then processed by the firewall functionality, then virtually sent when forwarded or made available for processing by another part of the appliance (e.g., processed by a physical or virtual router). One way of looking at it is that a virtual firewall is an implementation/emulation of a physical firewall, much in the same manner that a computer system can emulate another one or more computer systems, or a router can emulate multiple routers—which is often referred to in the industry as multiple virtual routers. Additionally, just as multiple virtual routers can be implemented in a single router box, multiple virtual firewalls can be implemented in a single appliance.
For example, shown in FIG. 1 is a prior art conventional configuration of a network which includes a router with firewall 100 between a public Internet 110, a private enterprise network 120, and a publicly available portion 125 of the enterprise network. Firewall (100) prevents connections from being established between public Internet 110 and private enterprise network 120 that are initiated from public Internet 110, while allowing such connections if initiated from private enterprise network 120. Similarly, firewall (100) prevents connections from being established between publicly available portion 125 of the enterprise network and private enterprise network 120 that are initiated from publicly available portion 125 of the enterprise network, while allowing such connections if initiated from private enterprise network 120. Also, firewall 100 does not block connections between public Internet 110 and publicly available portion 125 of the enterprise network.
Current firewalls operate based on a knowledge of the topology of the network in which they are used in order to perform their functionality, and perform its functionality based on network addresses, such as, but not limited to, Internet Protocol (IP) and media access control (MAC) addresses. For example, in the configuration illustrated in FIG. 1, firewall router will receive and process routing information including routing updates in order to maintain its knowledge of the network topology. Thus, changes to the topology of the network require updates to the firewall, and the programming of the firewall functionality is based on a knowledge of these network addresses.