Computers implement various network policies to control network traffic and to protect a computer or other network device from malicious attacks perpetrated by other network devices, such as theft of data, denial of service (DOS) attacks, and the like.
One type of policy used to protect network devices is implemented through a tool known as a firewall. The firewall protects individual users, network devices, and networks in general, from malicious attacks, while also adding the ability to control the exchange of data. The firewall implements the policy by examining network packets and determining, based on the examination, whether the packets should be permitted, or conversely blocked, from further traversing the network. Firewalls perform other functions such as logging information pertaining to packets for future inspection.
The firewall uses filters to implement the policy. Each filter includes filter parameters and an action. The filter parameters identify network packets that are subject to the policy and include information such as hardware addresses, e.g. Media Access Control (MAC) addresses, network addresses, e.g. Internet Protocol (IP) addresses, protocol type, e.g. Transport Control Protocol (TCP), port numbers, and the like. The action defines how packets with parameters that match the filter parameters should be treated. As a specific example, the filter includes as its parameters a Uniform Resource Locator (URL) address, e.g. “http://www.foo.com.” The filter further associates the action of block, i.e. drop the packet, with that URL address. Whenever the firewall examines a packet and through that examination identifies the URL address “http://www.foo.com” as embedded in the packet, the firewall drops the packet thereby preventing it from traversing the network.
The firewall includes multiple filters to implement the policy and two or more filters may conflict. Two or more filters conflict when they apply to a common subset of network packets and designate different actions. For example, one filter designates that a network packet should be permitted to traverse the network while a different filter designates that the same network packet should be blocked from network traversal. Where conflicting filters exist within a network device, it becomes unpredictable how the overall system will respond to network traffic.