1. Field of the Invention
The invention described herein relates to information security and network throughput.
2. Background Art
Packet based networks using an open architecture such as, for example, the Internet Protocol (IP) provide a highly efficient and flexible communication medium for local and global communicators. However, the Internet Protocol and other network layer protocols are vulnerable to security risks that complicate their use in business and other applications that involve the communication of confidential data. Therefore, security has become an essential element of the Internet infrastructure and has increasingly become a limiting factor in terms of network throughput and latency.
A number of security solutions have been developed to enable new types of opportunities over packet based networks. Often data packets transmitted to a network device have security measures applied at multiple communication layers. For example, security processes for encryption and authentication may be applied at the (a) media access (MAC)/data-link layer, (b) network layer (e.g. Internet Protocol), (c) transport layer and (d) application layers.
At an endpoint of a conventional network, a network device completely descrambles an incoming data packet before processing or using the data. In most cases multiple security processing stages are required to assess security policies and, when required, apply security algorithms. Processing through each of these stages increases the overhead of security policy assessment and the overhead of passing data across a system bus from memory to the central processing unit (CPU) and possibly to a hardware cryptographic coprocessor.
Therefore, it would be advantageous to merge the processing required by the security policies at each stage into a single front end processing function.