This section is intended to provide a background or context to the invention that is recited in the claims. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, what is described in this section is not prior art to the description and claims in this application and is not admitted to be prior art by inclusion in this section.
In perimeter security, the firewall is the typical first line of defense for a network. A firewall is a collection of security measures that are used to prevent unauthorized electronic access to a computer system or network. In terms of the overall protection of a network, “defense in depth” refers to the application of multiple layers of security technologies (referred to herein as “scanners”) at the perimeter of the network and within the network in order to protect it. In recent years, there has been a trend towards the combining multiple security technologies or scanners within a single device. Although such combinations of scanners makes security management easier, it also results in a significantly higher demand on the device that is performing the scanning in terms of both performance and flexibility.
Virtual memory is a system for dynamically mapping a program's address or addresses to one or more physical memory addresses. In an unprivileged mode of execution, an individual computer program cannot access any of the device's physical memory other than its own, and the program cannot run special instructions in the processor that can affect the hardware state for other programs. The unprivileged mode is also referred to as a user-mode. In a privileged mode of execution, the computer program can access any part of the computer hardware and may modify aspects of other programs. The privileged mode of execution typically refers to the operating system (OS) of the device. Still further, the device at issue typically contains firmware, which is the software that is preinstalled within an execution unit.
With regard to the security technologies or scanners that are used within and at the perimeter of a network, many of these technologies are implemented as software programs that run in the unprivileged mode on the operating system. Additionally, other technologies run in the privileged mode, while others are built into the firmware of special purpose hardware. This creates a significant issue, as the three different implementations of these technologies (unprivileged, privileged and hardware) have conventionally been incompatible with the other. Additionally, these technologies tend to be run in a serialized manner and tend to run at different rates. Still further, these technologies typically require that the data to be scanned be delivered in different layers of the protocol stack from each other. Because the technologies are run in different modes, they also tend not to be capable of sharing memory with each other, resulting in a requirement for making copies of the data to be scanned.
In some previous implementations, the above issues have been addressed by having separate hardware inline for each type of scanner (e.g., stand-alone firmware, intrusion detection and prevention (IDP) software, anti-virus software, etc.) Attempts to address the above-identified issues have also involved running each scanner on separate software blades, and then broadcasting or coping the packets to each blade.