A computer network typically includes a collection of interconnected computing devices that exchange data and share resources. The devices may include, for example, web servers, database servers, file servers, routers, printers, end-user computers and other devices. The variety of devices may execute a number of different services, operating systems (or operating system versions) and communication protocols. Each of the different services, operating systems and communication protocols may expose the network to different security vulnerabilities. A malicious user or “hacker” may exploit these security vulnerabilities to gain unauthorized access to, disrupt or generally attack the network.
In an attempt to prevent these network attacks, network administrators may deploy one or more network security devices, such as firewalls and Intrusion Detection/Prevention (IDP) devices, within the network to apply one or more security services, such as firewall, anti-virus and IDP services, that limit and/or even prevent these attacks. Often, the network administrators position at least one network security device behind each network device that resides at the edge of the network, such as behind each edge routers, to accommodate traffic engineering protocols, such as various link state protocols, that dynamically switch paths based on current link conditions within the network. Each of the one or more network security devices coupled to each edge router are then responsible for processing traffic for the corresponding edge router to which each network security device couples.
Upon receiving network traffic, these edge routers pass the traffic to the corresponding network security device located adjacent the edge device at the network entry point before selecting one or more paths for the traffic forwarding the traffic along paths through the network. These network security devices may then apply the above security services to respective network traffic entering the network through each edge router. If no attacks are detected, the network security device passes the network traffic back to the corresponding edge router, which in turn performs path selection and forwards the network traffic along the selected paths into the network. If, however, an attack is detected, the network security device denies the network traffic entry to the network by quarantining or dropping the network traffic. In this manner, the network security devices may reduce if not eliminate network attacks for each corresponding edge router by denying these attacks entry to the network. Thus, in such a conventional arrangement, application of security services is performed independent from path selection and routing of network traffic by each corresponding edge router. However, as network traffic increases service providers are forced to place additional security devices at heavy traffic locations within the network.