Due to increasing reliance on network-accessible computers, network security has become a major issue for organizations and individuals. To help ensure the security of their computers, organizations and individuals frequently install security devices between public networks and their private networks. A goal of such security devices is to prevent unwanted or malicious information from the public network from affecting devices in the private network.
These security devices are commonly referred to as firewall device. Typically, the firewall is a dedicated device that is configured to permit or deny traffic flows based on an organization's security policies. Typical high-end firewalls provide packet forwarding by dynamically load-balancing packet flows to a set of service cards. These service cards provide flow-based security services, such as flow blocking, network address translation (NAT), anti-virus (AV) scanning and detection, intrusion detection protection (IDP) and/or any other security services. The firewall device typically intercepts packets entering and leaving the private network, and processes the packets with the service cards to determine whether to permit or deny the packet based on information included within each packet that may define a state of a flow associated with the packet.
Usually the firewall performs this flow-based forwarding by caching or otherwise storing flow state for the packet flows of a given communication session between two devices. Generally, upon recognizing a first packet of a new flow, the firewall initializes data to record the state data for the session. The service cards of the firewall may inspect packet flows for the sessions by performing attack detection or other intrusion detection actions. In some cases, the service cards of the firewall may comprise two forwarding paths, a first path for processing a first packet of a newly established flow and a second path for inspecting and forwarding subsequent packets associated with a pre-existing flow. The first path through the service cards may be referred to as the “first path” or “session management path.” At this time, the service cards of the firewall may update flow tables to record the session and otherwise initialize session data. The second path through the service cards of the firewall may be referred to as the “fast path” because the second path normally does not take as long to traverse as the first path due to the lack of detailed inspection. In this manner, the service cards of the firewall apply the security services and provide a forwarding plane for forwarding the packets.
Some network devices attempt to combine routing functions and firewall functions within a single chassis, such as by installing one or more security service cards within a router chassis. In this type of network device, there is little integration of the routing components with the firewall components. That is, the installed security service cards apply the security services and provide their own forwarding plane for forwarding the packets. For example, incoming packets received from the network by the routing components are directed by a switch fabric of the routing components to the security services cards. The installed security service cards then process the packets with their own switch fabric forwarding plane to provide both the first path and fast path for packet flows. The service cards may then output the packets directly to the network, or may inject those packets back to the forwarding plane of the routing components for output to the network. Such a network device may experience high latency in forwarding packets due to the packets traversing switch fabric multiple times while being processed within both the security card and the routing components. As a result, it may be difficult to enforce strict quality of service (QoS), which may be problematic for applications such as Voice over Internet Protocol (VoIP) calls, video-on-demand, or multimedia. Latency may also be a concern as the volume of data traffic to be processed by such network devices increases.