A computer network is a collection of interconnected computing devices that exchange data and share resources. There are a number of approaches for communicating the data between the computing devices within the network. One approach, known as “multicasting,” makes use of multicast trees in which a source device sends a single data packet for distribution to a group of one or more recipient computing devices. With multicasting, the source device assigns a multicast identifier to the data, enabling each computing device of the group to receive a copy of the data. In some cases, the source device sends multicast packets over the network to a router configured for multicasting. In turn, the router replicates the packets and forwards copies of the packets to other multicast-enabled routers. The other routers, in turn, replicate the packets and repeat the forwarding process so that each of the recipient devices receives copies of the packets. In this manner, multicast packets are delivered through one or more networks using a multicast tree.
Consumers may switch between different multicast content provided by a content provider or multiple content providers by submitting “multicast action requests.” In particular, the multicast action requests allow consumers to join and leave the various multicast groups associated with the multicast identifiers. An exemplary protocol for issuing multicast action requests, such as a join request, is the Internet Group Management Protocol (IGMP). To join a particular multicast group, receiving devices send multicast join requests to upstream (i.e., intermediate) routers, which in turn forward the join request to the source device.
Due to increasing reliance on network-accessible computers, network security has become a major issue for organizations and individuals. To help ensure the security of their computers, organizations and individuals frequently install security devices between public networks and their private networks. A goal of such security devices is to prevent unwanted or malicious information from the public network from affecting devices in the private network.
These security devices are commonly referred to as firewall device. Typically, the firewall is a dedicated device that is configured to permit or deny traffic flows based on an organization's security policies. Typical high-end firewalls provide packet forwarding by dynamically load-balancing packet flows to a set of service cards. These service cards provide flow-based security services, such as flow blocking, network address translation (NAT), anti-virus (AV) scanning and detection, intrusion detection protection (IDP) and/or any other security services. The firewall device typically intercepts packets entering and leaving the private network, and processes the packets with the service cards to determine whether to permit or deny the packet based on information included within each packet that may define a state of a flow associated with the packet.
Conventional firewalls, however, have difficulty applying security services to multicast traffic for various reasons. For example, some firewalls may apply services before replication of the multicast traffic, which leads to very uniform treatment of all of the multicast traffic and a lack of richness. Other firewalls may apply services after replication of the multicast traffic, leading to unscalable multicast, particularly for high-volume replications that may be required in a high-end firewall environment. Moreover, the expressivity of current systems tends to focus on breaking the multicast down into n-way unicast flows to which security services are individually applied, leading to a waste in resources within the firewall.