Devices such as firewalls are sometimes used to prevent users from accessing resources to which they are not authorized. As an example, members of the public may be entitled to access content served by a web server, but not authorized to access other services available on the server such as administrative tools. In another example, employees of a company may be entitled to access certain websites or certain classes of websites while other websites or other classes of websites may be prohibited for all employees. Firewalls and other security devices typically enforce policies against network transmissions based on a set of rules.
Traditional security devices are implemented as a monolithic device provided with multiple processors for handling the incoming data streams. Such security devices often implement a centralized control scheme where one processor is designated as the management processor. Incoming data packets are often broadcast to all processors in the security device and the processors cooperate with each other, through software messaging, to determine which processor should take ownership of handling incoming data packets belonging to one or more flows. However, the centralized control scheme is not scalable to handle an increased number of data packets. In some cases, a security device may be implemented as a distributed system.
Furthermore, to implement complex security policies, a firewall needs to keep track of many independent and random events and correlate the events for policy enforcement. Firewalls or other security devices typically maintain event statistics using counters which need to be updated rapidly to effectively examine network traffic as the traffic is being communicated. Maintaining event statistics becomes challenging when the security device is implemented as a distributed system.