The relentless increase in data traffic over distributed networks has engendered a concomitant requirement for monitoring and filtering the data passing over such networks. Whether the distributed network is a local area network (LAN), a metropolitan area network (MAN), or a wide area network (WAN) that spans an entire continent, the monitoring and filtering tasks are conventionally carried out either in hardware, using dedicated application specific integrated circuits (ASICs), or in software, running on processing devices hosting server software. In the latter case, the processing devices may in fact be network servers—computers one of whose programmed tasks is to operate server software within a particular LAN or WAN. Alternatively, they may be dedicated devices that run only network software, so-called “network appliances”. It will be understood that the term “server” is used in the literature to denote both the physical processing devices and the server software they host. Where a distinction is not made between these meanings in the following text, the term refers to both simultaneously.
Typically, a range of monitoring and filtering tasks are performed at various points throughout distributed networks in order to protect servers and/or their clients from unwanted data. Indeed, the routing strategies adopted by routers may be considered as fulfilling a basic filtering task. There are many software applications, executed by servers themselves, that implement monitoring and/or filtering tasks. An important subset of these applications deals primarily with potential threats to the integrity of the network or the information transmitted over it: they are generally referred to as security software applications or simply “security elements”.
Examples of existing internet security software applications for execution on servers include: antivirus (AV) detection software; spam detection software; content monitoring software; firewall software; traffic sniffing software, anti-fraud software; and, intrusion detection and prevention software.
Servers can either be owned and operated by business or residential users, or provided as “managed security services” by a service provider, for example a telecommunications operator, a communications service provider (CSP) or an internet service provider (ISP). In the case of a managed security service, the service provider may incorporate one or more security elements in their service offering. This may be done by placing appropriately configured servers on the customer premises or by providing the security element in their own servers at a data centre. Service providers typically supply either an all-purpose network server or a dedicated network appliance for each group of one or more customers; a separate piece of server software processing data traffic for each security element offered. In addition, the service provider will generally deploy additional servers within their own network to provide internal security and to prevent attacks on their own network infrastructure.
Software security systems that enable the monitoring and controlling of data traffic in packet-oriented networks are known. Examples of security systems used with the ubiquitous TCP/IP protocol suite include firewall applications, AV software, and intrusion detection software, such as so-called “sniffer” software.
Firewall applications include a packet inspection functionality which allows content-aware filtering of the packets passing into a sub-network, for example allowing only certain FTP (file transfer protocol) commands to be used or blocking encrypted data traffic over a given port.
An ISP may provide AV software configured to be applied to email traffic in their mail service offering. AV software monitors the email traffic for data patterns that correspond to a regularly updated list of “virus signatures”. Virus signatures are patterns of data that identify potentially malicious executable code.
Sniffer software can be used to monitor and log the activity of a predetermined network user, thereby allowing a network administrator to detect abusive or suspicious network activity.
Such software solutions are fundamentally limited by the capacity of servers to receive, process in software, and retransmit monitored data onto a network quickly enough, while avoiding the introduction of large delays (latency) or missing data packets entirely. Where large numbers of subscribers are offered managed security services (as they would be in, for example, a residential service or a service aimed at small/medium sized enterprises) or where high traffic loads (input bit rates of 100 Mbytes/s or more) are carried on large networks, the software approach runs up against these constraints. Conventionally, this problem can be addressed by deploying additional servers in conjunction with (hardware) network switches that distribute the traffic load between available servers. This solution comes at cost in terms of: complexity; administration and management overheads; physical infrastructure space required for the network and attached devices; and, often crucially, in terms of financial outlay.
Conventional processing and monitoring devices, such as those used for processing IP data traffic, include a hardware network switch and a processing device. In operation, the processing device executes software servers; each software server offering the functionality of a security element to one or more users.
Real-time interception of network traffic is distributed amongst the software servers so that each software server hosts a security element functionality on behalf of a predetermined group of users.
Prior art systems do not cope effectively with high bandwidth data traffic, as might be found in the core networks of ISPs and CSPs. Examples of communications standards exhibiting input rates that are considered to be high bandwidth include: STM-64 (1244 Mbytes/s); STM-16 (311 Mbytes/s); 10 Gigabit Ethernet (1250 Mbytes/s LAN mode, else as STM-64); and Gigabit Ethernet (125 Mbytes/s).
A hardware platform is able to handle these high bandwidth input rates. Conventional hardware platforms, however, replace each required security element with corresponding, dedicated (often custom built) ASIC components.
Such devices have typically been built to perform specific protocol processing tasks. The major disadvantage of known custom built hardware devices is their static functionality. This arrangement, while capable of handling the data traffic at full line rate, is not easily adaptable or upgradable. This means that they are complex, risky and time-consuming to build, update and maintain. Furthermore, the inherent difficulty of constructing firmware or hardware analogous to “real-time” security software applications means that there are relatively few appropriate developers.
A more recent approach has been to provide an ASIC that includes a field programmable gate array (FPGA) with dynamically programmable logic. To achieve the dynamic programming either a language such as VHDL is used or a programmable finite state machine (FSM) is instigated.
Where VHDL and similar languages are used the drawback has been that the developer community is small, and that programming and particularly debugging applications has been found very difficult. By contrast, the problem with FSMs is that, while they might be easy to program, the functionality it is possible to implement using them is very restricted compared to the versatility of programming languages: attempts to extend the functionality have resulted in unmaintainable code.