A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets. The packets are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
A private network may include a number of devices, such as computers, owned or administered by a single enterprise. These devices may be grouped into a number of site networks, and these sites in turn may be geographically distributed over a wide area. As one example, each site network may include one or more local area networks (LANs) connecting the devices at the particular site. With the advent of Virtual Private Network (VPN) and Virtual Private LAN Service (VPLS) technology, enterprises can now securely share data between site networks over a public network, such as the Internet. For example, a hub or central network site may be the network at the headquarters of the enterprise, while spoke site networks are typically networks at geographically distributed branch offices, sales offices, manufacturing or distribution facilities, or other remote site of the enterprise.
Due to increasing importance of network security, it has become common for service providers to deploy security devices between each of the private site networks and the service provider network or other intermediate public networks connecting the site networks. One example of a commonly deployed security device is a firewall network device. A firewall, for example, is a dedicated or virtual device that is configured to permit or deny traffic flows based on the service provider's security policies.
Security devices, such as firewalls, can be implemented at various layers of the network stack, as specified with respect to the Open Systems Interconnection Basic Reference Model (“OSI Reference Model”). A security device includes both a security plane and a forwarding plane. The security plane provides layer three (L3) to layer seven (L7) security services to packets based on defined security policies associated with the incoming and outgoing interfaces of the security device. The forwarding plane forwards the packets between the incoming and outing interfaces based on either layer two (L2) or L3 forwarding information. For example, a forwarding plane of an L3 security device operates at the network layer, i.e., layer three of the OSI Reference Model, to restrict L3 network communications. As another example, a forwarding plane of an L2 security device operates within the second layer of the OSI Reference Model, also known as the data link layer, to restrict L2 network communications. An L3 security device may provide security features as well as packet forwarding, routing or other L3 functionality. A L2 security device may provide security features along with switching or other L2 functionality.