The Internet is an open (untrusted) network that can be accessed by anyone using primarily a protocol referred to as Transmission Control Protocol/Internet Protocol (“TCP/IP”) or other protocols. Because of its openness, computers on private (trusted) networks (e.g., Intranets) are susceptible to malicious attacks by hackers. As a consequence, computer security is a significant concern for computers and computer networks communicating with each other and with the Internet.
Consequently, computer networks employ devices utilizing a network security system to monitor and control incoming and outgoing network traffic based on predetermined security rules, such as implemented within a firewall. A firewall can be generalized as a set of logical functions mainly related to security that are implemented on a box in a computer network. In general, a firewall establishes a barrier between a trusted internal network and an untrusted external network, such as the Internet. Firewalls are typically categorized as network-based or host-based. Network-based firewalls may be positioned on the edge devices (e.g., gateway computers) of local area networks (“LANs”), wide area networks (“WANs”), and Intranets. Host-based firewalls (or some other security protocol, such as Network Address Translation (“NAT”) or Internet Protocol Security (“IPsec”)) may be positioned on a network node device itself and control network traffic in and out of those machines.
A host-based firewall may be a daemon or service as a part of the operating system or an agent application such as endpoint security or protection. They may be either software appliances running on general-purpose hardware, or hardware-based firewall computer appliances. The firewall may run on a dedicated electronic device, as a set of functions that complement other functions on a device such as a router, as a set of functions on a server, laptop, or workstation, or on some other network device. Thus, in general, a firewall may be implemented in any type of device that runs software developed specifically to separate an internal network from an external network and to protect the former from the latter, or vice versa.
The firewall's job is to inspect each packet attempting to enter or leave the local network. Generally, a packet is a formatted unit of data carried by a packet-switched network. This examination, referred to as packet filtering, is made to determine whether the packet will be allowed into or out of the network. Packet filtering is generally based on access control lists.
Network layer firewalls operate at a relatively low level of a TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. The firewall administrator may define the rules; or default rules may apply. Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active network sessions and use that “state information” to speed up packet processing.
A network session (also simply referred to herein as a “session”) is a semi-permanent interactive information interexchange between devices communicating over a network (e.g., TCP connections or UDP streams). Any existing network session can be described by several properties, including source and destination IP addresses, UDP or TCP ports, and the current stage of the connection's lifetime (including connection initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing network session, it will be evaluated according to the ruleset for new connections. If a packet matches an existing session based on comparison with the firewall's state table, it will be allowed to pass for further processing.
Often, when a network session begins, a firewall is called into play to analyze the initial packets. The analysis may yield a decision about whether or not to permit the session to be created in light of predetermined security policies. If a decision is reached, then the header values common to all packets of the session may be stored in memory (e.g., a session table) together with the decision. In this way, it is not necessary for the firewall access control rules to be called over and over for every subsequent packet of a session. Rather, a packet header key, or some other unique identifier, may be sought in the session table, and if found, a stored action or decision enforced.
In certain scenarios, it may be important to be able to create a session at a high rate (e.g., to cater to the occurrence of burst traffic) without losing data of any connection. The challenges faced are a need to support a high degree of parallelism while processing and updating the session table, maintaining data integrity when the session table is being updated in parallel by multiple processes/tasks, providing exclusive access to the session table when a session with the same unique identifier is being updated by multiple processes, and to maintain a high session setup rate.