To provide security in modern data networks, special means, such as firewalls, are often used to separate network areas from other areas and backbone lines. Most firewalls implement connection tracking mechanisms that allow stateful inspection and thereby increase the level of network security. Since storage of information about established connections consumes resources of the firewall, it is necessary to restrict the number of concurrent connections and remove unused connections.
This object becomes particularly significant when the load on the firewall increases.
Various methods are used to maintain stability and maximum throughput in network devices at high loads and overload.
For example, in high load casese network routers can apply methods of adjusting the input queue size (the RED/WRED algorithm) and/or blocking packets when the input buffer overflows (the Leaky bucket algorithm) (See Semenov Y. A. Telecommunications Technologies (v3.28, 20.08.2012), online version at http://book.itep.ru/; Stepanov S. N. Fundamentals of Telecommunications Traffic of Multiservice Networks, M., Eco-Trendz, 2010). Despite the fact that these mechanisms cope rather efficiently with network overloads, they have several drawbacks due to the field of their application. Since the routers operate on the OSI network layer, they are guided exclusively by the IP-header without analysis of the connection state. Thus, in the case of overload the network router will drop packets belonging to already established connections, equally with new connection requests, thereby breaking the established connections, which is, in particular, also the purpose of Denial-of-Service attacks (DoS/DDoS attacks).
There is also the known method for managing the state of connections in a network device which operates as a firewall and comprises:
a processor;
a memory unit;
a network interface unit adapted to receive data packets from an external data network and send packets to an internal network, and
supporting units (See U.S. Pat. No. 7,831,822).
The method comprises the steps of
receiving packets from the external network;
generating a connection table containing the following information:                a network protocol type;        a connection state;        a timestamp of processing of the last packet;        
determining the total number of currently established connections;
analyzing data for each connection present in the connection table;
removing the connection, if the last packet processing timestamp in the connection exceeds a predetermined threshold value.
The method steps are directly implemented in software installed in the firewall.
The main mechanism of clearing the table is to remove obsolete connections which are identified by comparing the last packet processing timestamp against a predetermined timeout threshold (“timeout” is understood as the time of waiting for packets in a connection before the connection is closed). If the connection table is filled, before adding a new connection obsolete connections are searched for and removed by the LRU-algorithm (Least Recently Used). This mechanism of removing obsolete connections does not work properly at high firewall loads, because every new connection will require to clear the filled table and invoke the LRU-algorithm. The operation of searching for obsolete connections consumes significant resources, therefore, referring to said operation for every new packet may exhaust processor resources and slow down processing of overall traffic. On the other hand, additional delays in the traffic processing may cause overflow of the input packet buffer and result in the loss of pending packets. Since the lost packets may relate to both new and already established connections, this will interrupt traffic exchange within the established connections. The low efficiency and interruption of established connections under high loads is the main disadvantage of the known method.
In order to search the connection table, the known method further uses hash values calculated from the packet data (a source address, a destination address, a source port, and a destination port). The same hash value is implied to be generated for the original packet (client-to-server packet) and for the reply packet due to swapping the source and destination addresses when the hash value is generated for the reply packet. The known method does not take into account the ability of modifying the packet by Network Address Translation (NAT), which narrows the scope of its applicability.
Furthermore, said known method does not take into account groups of logically related connections. For example, when an ICMP error message is passed, the related connection should be closed. In some protocols, such as FTP, additional connections can be established for transmission, and lifetime is to be controlled for the entire group of connections, rather than for individual connections. These restrictions also constitute disadvantages of the known method.