The increasing proliferation of both large and small computer networks in not only workplaces but also in private homes has highlighted the need for increased network security. Companies and individuals increasingly rely on their networks for not only continued productivity but, in some cases, for direct profits. This increasing reliance on computer networks and the boom in both activity and reliance on the largest network of all, the Internet, emphasizes the vulnerability of computer networks to malicious attacks from hackers. Some of these attacks are commonly launched through the Internet—one of the more vulnerable points of a network typically being its Internet connection.
To prevent these attacks or to blunt their effectiveness, networks and even sole computers use firewalls—hardware, software or a combination of both that checks any incoming traffic to determine if the traffic is legitimate or is part of a hacker's assault on the network/computer being protected.
Currently, there are two predominant types of firewalls in common use—application proxies and packet filters. Application proxies act in place of the servers/computers to be protected when establishing/receiving connections with external computers. The application proxy acts as a go-between the server/computer being protected and any external traffic—any connection to the external world is established between the application proxy and the external computer and not directly between the external computer and the server/computer being protected. Thus, any malicious attacks theoretically occur against the application proxy and not against the critical server/computer.
The other type of firewall currently in use is the packet filter. The packet filter firewall “filters” or checks all packets being received from the world external to the network being protected. The packet filter typically checks the header of these packets and, if any packets have suspicious headers, the packet is dropped and the user or system administrator is notified. Security polices set by the user or system administrator determine the amount of security provided by the firewall These policies are set when the firewall is configured by the administrator and can be manually adjusted as required. The user or system administrator can loosen or tighten the security provided by a firewall by controlling from which source computers traffic will be accepted. On one end of the spectrum, the firewall can be configured to accept traffic/packets only from a select few sources/servers and any other traffic is to be discarded. On the other end of the spectrum, the firewall can be configured to accept all traffic. Typically, a happy medium between these two ends is desirable.
While the above described how types of firewalls work to protect today's servers and networks, they each have their disadvantages. It is commonly accepted that while application proxies are much more secure than packet filters, they are much slower than packet filters. Conversely, packet filters, while fast, do not provide as much security.
It should be noted that some firewalls provide both packet filtering functions along with application proxy functions. Such hybrid firewalls can provide either the security or the speed required by most applications. It should further be noted that the security policies enforced for a specific firewall, and hence the decisions which determine whether specific packets are to be accepted or discarded, is usually dependent on the application being shielded by the firewall. As such, e-mail applications and Internet browsers may have different applicable security policies. An e-mail application may have tighter applicable filtering security policies than an Internet browser due to the greater risk of viruses and worms being spread by way of e-mail messages. Conversely, a TELNET application may have stricter login security policies than an e-mail authentication/login application due to the greater risk of hackers trying to compromise the system by way of the TELNET application. One major issue with providing suitably secure connections across a firewall is the balancing act between the seemingly contrary concerns of speed and security. It has been widely accepted that the greater the security a firewall provides, the slower the connection. Conversely, the faster the connection, it is usual that the firewall security is not as strong. A solution to the firewall speed/security issue would provide as much security as required by the network while still providing acceptable transmission and reception rates.
Another cause for concern in today's networking regime is the proliferation of VPNs—virtual private networks. VPNs allow enterprises to have a single network spanning across multiple, geographically remote offices. In essence, a network in New York can be connected to a network in Houston with either network being able to seamlessly access files on the other network. These VPNs are connected across the Internet and, unfortunately, the secure nature of the VPNs require extra security processing at each end of the VPN link. Such extra processing tends to slow down those VPN links.
From the above, there is therefore a need for solutions to both the problems of speed and security for firewalls and speed for VPNs. It would be most advantageous if such a solution provided both firewall and VPN functionality in one device.
It is an object of the present invention to overcome or at least mitigate the shortcomings of the prior art or provide an alterative to prior solutions.
It should be noted that the term data transmission unit (DTU) will be used in a generic sense throughout this document to mean units through which digital data is transmitted from one point in a network to another. Thus, such units may take the form of packets, cells, frames, or any other unit as long as digital data is encapsulated within the unit. Thus, the term DTU is applicable to any and all packets, cells, frames, or any other units that implement specific protocols, standards or transmission schemes. It should also be noted that the term digital data will be used throughout this document to encompass all manner of voice, multimedia content, video, binary data or any other form of data or information that has been digitized and that is transmitted from one point in a network to another.