The present invention relates to the field of computer networking. In particular the present invention discloses a control system for high speed rule processors that efficiently implement firewall, IP routing, quality of service, load balancing, and/or network address translation rules in a gateway at wire speed.
The Internet is a worldwide interconnection of computer networks that share a common set of well-defined data communication protocols. Specifically, most computer networks are coupled to the Internet communicate using the Transport Control Protocol (TCP) and Internet Protocol (IP) commonly known as TCP/IP. This protocol provides an error-free data connection between two computing devices and sits underneath and works in conjunction with higher level network protocols including HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Network News Transmission Protocol (NNTP), etc.
There is no central controlling authority in the global Internet. Individual entities coupled to the Internet are responsible for their own interactions with the Internet. To protect private networks, such as Local Area Networks (LANs) and the Intranet, most private networks use a gateway that is a network point acting as an entrance to another network. Essentially the gateway controls the flow of traffic between two networks, such as communications between computers on a local area network and computers out on the Internet. Examples of such functions in a gateway include network address translation, firewall protection, IP routing, quality of service, and/or load balancing.
Network address translation (NAT) is used to translate addresses from a first address domain into addresses within a second address domain. A typical device with network address translation has two different network ports. The first network port is coupled to an internal network with an xe2x80x9cinternalxe2x80x9d network address and the second network port is coupled to the global Internet with a legally allocated Internet protocol address. The two-port network address translation device thus handles all Internet communication between internal computer nodes having internal network addresses and an Internet computer system having fully qualified Internet Protocol addresses.
Firewall protection attempts to prevent unauthorized accesses. Firewall protections are implemented using a set of packet filtering rules. Each packet-filtering rule specifies a particular packet filtering policy. For example, all packets incoming from the Internet addressed to vulnerable server ports may be discarded in order to protect the internal servers on the local area network. The firewall device examines each packet and applies any applicable firewall packet-filtering rules.
Routing is the process of locating the path to be taken by a packet in the Internet. Routing rules specify a next hop address and the port number associated with the next hop to be taken by a packet. For example, all packets which are destined to a particular IP network can be sent to a LAN port (a port attached to the local area network) and all other packets may be sent to WAN port (a port attached to the wide area network)
Quality of Service or QoS is an idea that transmission rates, error rates, and other characteristics can be measured, improved, controlled and, to some extent, guaranteed in advance. QoS can be measured and guaranteed in terms of the average delay in a gateway, the variation in delay in a group of cells, cell losses, and transmission error rate. QoS is of particular concern for the continuous transmission of high-bandwidth video and multimedia information. For example, packets from a high-paying commercial customer may receive a higher grade of service than packets from a low-paying customer. Similarly, packets from a real-time video or audio streaming application may receive more prompt service than packets from a large file transfer operation.
Load balancing is a task of selecting a least utilized resource such that a xe2x80x9cloadxe2x80x9d is balanced among all the available resources. For example, a popular web page will be placed on a large number of similarly configured server systems. When a web client requests a popular web page, a load-balancing device will select the server system that is currently experiencing a light load.
These common gateway tasks are often performed by computer systems employing general-purpose processors executing proxy programs. When a gateway is used for a very large network with a high bandwidth communication channel, the gateway has to process a large amount of packets each second using rules that implement the gateway features. In such high demanding environment, a gateway employing general-purpose processors will be inadequate to produce sufficient throughput, which may subsequently deteriorate the network performance. It would be therefore desirable to have a control system for a high-speed rule processor that can be used in a gateway to perform common gateway tasks. In addition, to further improve the network throughput, multiple rule processors are often used in parallel, the control system is desired to control and synchronize the operations of the rule processors to achieve seamless and various gateway tasks at wire speed.
In view of the above, it is one of the objects in the present invention to provide a control mechanism for high-speed rule processors in a gateway system. These high-speed rule processors may act as firewall in the conventional sense and also as a packet classification and filtering system. The gateway system is positioned on a network connection between, for example, a public network and a private network that is protected from attacks. The gateway system comprises a management processor or module that inspects each incoming and outgoing packet and sends pertinent information about the packet to an engine that determines, based upon a plurality of rules, what actions should be taken on the packet.
The advantages of the present invention are numerous. Different embodiments or implementations including a method, an apparatus and a system may yield one or more of the following advantages. One advantage is that a gateway system employing the current invention can process packets at wire speed by using massive parallel processors, each of the processors operating concurrently and independently. Another advantage of the present invention is the rescalability of a gateway system employing the current invention. The number of the engines in use can be expanded. The multiple engines are connected in a cascade manner. Under the control system, all engines operate concurrently and independently. Results from each of the engines are collected sequentially through a common data bus such that the processing speed of packets becomes relatively independent of the complexities and numbers of rules that may be applied to the packets.
Objects and advantages together with the foregoing are attained in the exercise of the invention in the following description, resulting in the embodiment illustrated in the accompanying drawings.