Many enterprises employ the “firewall” mechanism to protect their computer networks. A typical firewall device is located at the boundary of the enterprise network. It inspects network traffic flows entering or leaving the internal network, and filters out “unwanted” packets of data. Conventional firewall devices support stateful inspection to enforce more complicated security policies involving stateful network protocols. For example, one popular firewall policy allows Transmission Control Protocol (TCP) connections initiated from internal hosts, but denies TCP connections initiated from outside the network. A stateful inspection firewall handles this by creating a new connection state whenever it captures the first data packet of a data flow for a TCP connection initiated from an internal host. This packet is sometimes referred to as the TCP “SYN” packet. State information may be stored locally to the firewall device for the lifetime of the network flow.
State information about a network flow or connection is established in a firewall device when the first data packet initiating the connection is processed. In the TCP case, it may be referred to as the SYN packet. In the case of a User Datagram Protocol (UDP) session, it is the first UDP packet sent by the client. The data packets in a flow include header information about the packet. Subsequent packets are considered part of the flow if the packet's header information includes information for the connection. Different firewall implementations may have different header information, but they generally include information such as source and destination Internet protocol (IP) addresses and ports.
Due to the extra functions it performs, a firewall can sometimes become a performance bottleneck. One conventional solution uses a cluster of multiple load-balancing firewall devices. In order to support stateful inspection, these firewall devices must either share global state information or have some kind of traffic redirection device. A redirection device forwards packets of an established connection to the “home” firewall device in which the state information is kept locally.
Global state information-sharing is complicated and does not scale well when the number of firewall devices in a cluster rises. Because many network connections are “short-lived,” processing power of firewall devices is wasted on global state synchronization. Using redirection devices increases the complexity and cost of the architecture, especially when multiple redirection devices are required to eliminate single point of failure. System administrators must manage a cluster of redirection devices in addition to the firewall cluster. What is needed is a method and system for better processing firewall transactions in systems having multiple firewall devices.