This description relates to a network interface device integrating security and traffic management functions. The present invention is directed to the apparatus for creating security rules and traffic management rules for operating the network interface device. No new matter is introduced in this divisional application.
Two critical concerns of Internet Protocol (IP) networks are security and traffic management. To secure an IP network, for example, a local area network, a device such as a firewall can be deployed at the boundary between the local area network and a wide area network (e.g., the Internet) to prevent unauthorized access from sources external to the network. Firewalls serve as a point of network access where incoming traffic from remote sources and outgoing traffic to the Internet can be analyzed and controlled.
Due to the development of new services, IP networks today carry multiple types of traffic, such as voice, video, email, and web traffic to name a few. The convergence of multiple types of traffic requires adequate traffic management to ensure that the quality of service (QoS) requirements of each of these services can be met. Maintaining the requisite level of quality of service generates specific constraints as services have different characteristics. For example, voice services are sensitive to both delay and delay variations as distortions of the voice may drastically impact the quality and/or interactivity of the communication, but are generally tolerant to some loss. Video services, on the other hand, are insensitive to delay as compared to voice services, but may be more sensitive to delay variations and loss. Data services in general are largely immune to delay and delay variations, but are sensitive to loss. Uncontrolled traffic in data services have the tendency to consume the entire available pipe simply by the nature of the transport protocol used to transfer the data.
Security and traffic management functions are typically implemented by two separate network devices or two separate logical components of a single physical package that are coupled in series and configured independently of each other by different personnel. Miscommunication between the personnel can lead to conflict during operation of the security and traffic management functions. Further, as the two functions behave independently of each other, packet classification is performed twice (once by each function), which adds to processor load and increases latency.