Edge devices provide packet connectivity entry points into a core network. They typically control and analyze the flow of traffic entering the core network, provide security to the core network by preventing harmful traffic from entering it, or provide enhancements to applications.
Examples of edge devices that monitor and analyze traffic, include traffic monitoring systems, traffic analysis systems, flow replication systems, and various other systems that monitor and control the type of traffic entering the core network.
Examples of edge devices that analyze the content of data entering the network to provide security to the core network include firewalls and detection/prevention equipment.
Briefly, a firewall refers to a device which limits access to a network by only allowing authorized flows/users access to a private network.
Whereas, detection/prevention equipment refers to systems that identify and block malicious code from entering a network, such as, but not limited to: computer viruses, worms, trojan horses, spam, malware, spyware, adware, and other malicious and unwanted software. Intrusion detection equipment may also include systems that detect when an attack is being perpetrated on a core network, such as a denial-of-service attack.
Examples of edge devices that provide enhancement of applications include applications that enhance the flow of packets, content adaptation applications, and acceleration application functions.
In many instances companies and organizations will purchase the best-in-class edge device solutions for use at the edge of a network. For example, an organization may purchase Vendor A's virus detection product, Vendor's B firewall, Vendor's C flow replication product, and Vendor's D router, because each is the best-in-class or for some other reason.
As a result most devices found at the edge of a core network, are a hodgepodge of dissimilar interconnected devices each performing a different task. The total cost for setting-up and operating these disparate edge solutions is soaring out of control. Besides purchasing all these different solutions, there are costs associated with keeping the equipment running, and managing software on all of the disparate pieces of equipment. Moreover, adding equipment to the edge of the network to handle growing network demands is often complicated and inflexible.
Furthermore, with multiple types of equipment needed to examine packets for different purposes, such as malware, DDoS, firewalls, routing, and so forth, there may be multiple examinations of packets between the time a packet is received at the edge of a network, and the time it is routed to a destination. Unfortunately each time a packet is examined and analyzed there is a delay incurred, which is undesirable, especially for packets that require quality-of-service, such as packets containing real-time data such as voice or video.
Presently, there is no flexible way to service different types of packets or traffic flows. When a packet enters the edge it is routed through a fixed series of vendor's solutions. There is little choice on selecting which services are performed on each packet entering a network, regardless of the type of packet. For example, it is difficult for certain packet types having a higher priority level (or trusted source) to bypass certain packet analysis equipment to increase efficiency. It is also difficult to thread (e.g. route) packet flows through different combinations of vendor's devices and services.
Furthermore, much of the functionality provided by different vendors equipment has fixed functionality limited in scope to particular application. Accordingly, while it may be possible to reprogram (upgrade) the particular application for its intended use, it is not presently possible to dynamically reprogram a device to change its intended purpose entirely. For example, it is not presently possible to convert a device for running spyware into a device for performing transcoding.
Thus, there is presently a desire to more efficiently service packets entering a network to reduce the quantity of examinations to a minimum desired level per packet type. There is also a desire to ensure Quality of Service is not sacrificed with the ability to route certain packets classified at the highest priority level through a more efficient examination process at the edge of a network. Further, there is also a present desire to simplify and more flexibly integrate the various disparate types of functionalities performed at the edge of a network or elsewhere, often provided by different vendors.