Conventionally, intrusion prevention as well as content filtering are important protection needed by numerous entities, ranging from private companies to governmental agencies. To protect an entity's networked system, some form of intrusion prevention system is usually implemented. A common intrusion prevention system is a firewall setup in between the entity's networked system and external network. The firewall can screen incoming data to detect possible malware (e.g., virus, spyware, etc.) and block the incoming data if possible malware is detected. As used herein, malware broadly refers to malicious software designed to infiltrate and/or damage a computer system and/or network without the informed consent, or even knowledge, of owner of the computer system and/or network.
In addition to screening data for malware, the firewall is often used to screen the content of incoming data for content filtering purpose. If the incoming data falls into a prohibited category according to the entity's policy (e.g., pornography, violence, social networking sites, etc.), then the firewall may block the incoming data as well.
In order to detect malware and to determine the content rating of incoming traffic, the firewall typically stores signatures of known malware and content ratings of known webpages. However, only a limited number of these signatures and content ratings may be limited because of the limited storage capacity of the firewall. As a result, the coverage of these signatures and content ratings stored in the firewall is also limited. Furthermore, in systems having multiple firewalls, updating the signatures and content ratings across a system can be tedious and time consuming because each of the firewalls in the system has to be updated to ensure consistency.