1. Field of the Invention
This application relates generally to policy enforcement and more particularly to efficient enforcement of multiple policies on a stream of packets.
2. Description of the Related Art
The increase of traffic and security threats on the Internet and the demand for high performance have created a need for mechanisms that enable Service Providers (SP) to provide safer, faster and more reliable networks and servers to their customers. However, current network architectures lack tools that can enable SP to provide integration of various security and performance enhancement policies along with aggregation of different customer traffic, particularly at wire speed. This has impacted them adversely in terms of customer confidence in their ability to provide a secure and reliable network infrastructure. What is therefore needed is a device that can enable the SP to better provide these capabilities. Additionally, the ability to selectively offer these services would be a potential SP revenue source.
In the past, vendors have attempted to perform the policy enforcement for IP networks through various devices. These devices can be broadly classified into the following four types of devices: standalone systems that enforce unique (fixed) policies; switches that enforce limited policies; routers that enforce a limited set of policies; and integrated policy enforcement systems.
Standalone systems are designed to enforce specific policies, typically through a rigid algorithm implemented in software or hardware. Examples are FIREWALL™ from Checkpoint Software Technologies LTD, and Internet Security Systems (ISS) intrusion detection systems. While these systems offer adequate functionality in the right environment, they are inflexible where various policies need to be introduced, and would not adequately support high-speed systems.
Switches provide the basic switching capabilities at the Open Systems Interconnection (OSI) reference model layer two. They also occasionally integrate Firewall (FW), Load Balancing (LB) or Quality of Service (QoS) capabilities. Since the switching is performed mostly through ASICs across various switching ports, it does not have capabilities to implement the deep packet inspection before making policy decisions.
Routers primarily route network packets at OSI layer three. They also have started to integrate additional IP service functionalities while routing the network traffic. However, these devices utilize the limited additionally available processing capabilities of the routing processor to make policy decisions. Their ability to make wire speed decisions is thus very limited.
Finally, there are integrated policy enforcement systems. Traditionally, vendors who have built integrated policy enforcement systems have built them by running the policy enforcement software on a general purpose computing platform integrated with their proprietary logic for packet delivery. This rigid approach generally allows the enforcement of policies in specific environments but does not offer flexibility or the capability of delivering enforcement at high speeds, for reasons similar to those found in stand-alone systems.
Thus, what is needed is a flexible policy enforcement engine that can handle multiple different sets of enforcement policies and that has an architecture that facilitates such enforcement at high speeds.