1. Field of the Invention
The present invention relates to a method and apparatus for application control in private and public Internet, and more particularly, to a method and apparatus of providing scaleable flow based application control in private and public Internet.
2. Description of Related Art
Private and public Internets are interconnected with communication nodes that route packets from a source network host to a destination network host. Packets are a whole or a portion of a transmission between two host nodes, with each node having a unique network address. The Internet is made up of a variety of different networks, each assigned a unique network identifier. The network address is hierarchical in that it is made up of a network identifier, a sub network identifier, and a host identifier. Communication nodes called routers use the network portion of the address to make routing decisions at the points where networks are interconnected. This allows networks to be interconnected without communication nodes having to know the details of all the sub networks and networks hosts inside a destination network. However, within a destination network, a router would need to know the sub networks that are with its network and then subsequently within a sub network a router would need to be able to resolve all of the addresses for network hosts directly connected within the subnet. This hierarchy is analogous to the hierarchy of addresses when routing a telephone call in a circuit switched network: the county and area codes are used to aggregate the routing and addressing for all of the handsets within an area.
Because of the network addressing hierarchy, routers end up being very efficient in scaling the number of hosts that can connect to the Internet because they rely on the network identifiers only. However, in the access network where network hosts attach to the Internet, service providers increasingly want to provide “granular” services in which individual subscribers and applications can be differentiated from the “best effort” services provided on the Internet. One of the ways service providers are providing granular services is with flow-based network appliances.
However, because of the vast number of hosts that can connect to the Internet, in comparison with the number of networks that can connect, flow-based appliances cannot scale and aggregate Internet traffic they way Internet routers can if all communications are treated as flows.
In addition, each flow setup could experience significant latency in comparison to the latency once a flow is established because of the complex logic applied to the first instance of communication exchange and creating a flow entry in a lookup table.
Lastly, because flows are set up on each communication exchange between applications on network hosts, flow-based appliances can be susceptible to denial of service attacks simply by having a network host generate a new communication exchange to a network destination address or communications port, causing a flow-entry to be created for each exchange. Network service attacks can take many forms, including IP address sweeps, port scans, worms and email viruses. In an IP address sweep, the attacker attempts connections with many IP addresses on a particular TCP or UDP port. In a port scan, the attacker targets a specific machine and tries to initiate connections on hundreds or thousands of ports looking for a point of entry.
There is a need in the art for a flow-based appliance that can provide both the scale necessary to interconnect Internet hosts and the granularity required to provide differentiated services, for example, on a per-subscriber or per-application basis.