The present invention relates to network security systems and to redundancy protocols for network security systems.
There are many emerging trends in the communications world, including the increase in network technology and the proliferation of data networks. One example of a data network is a packet switch communication system. A conventional packet switch communication system includes one or more routers connecting a plurality of users. A packet is the fundamental unit of transfer in the packet switch communication system. A user can be an individual user terminal or another network. A router is a switching device which receives packets containing data or control information on one port, and based on destination information contained within the packet, routes the packet out another port to the destination (or intermediary destination). Conventional routers perform this switching function by evaluating header information contained within the packet in order to determine the proper output port for a particular packet.
The network can be an intranet, that is, a network connecting one or more private servers such as a local area network (LAN). Alternatively, the network can be a public network, such as the Internet, in which data packets are passed over untrusted communication links. The network configuration can include a combination of public and private networks. For example, two or more LAN's can be coupled together with individual terminals using a public network such as the Internet. When public and private networks are linked, data security issues arise. More specifically, conventional packet switch communication systems that include links between public and private networks typically include security measures for assuring data integrity.
To ensure security of communications, network designers have either incorporated security devices, such as firewalls and virtual private networks, and traffic management devices in their systems or enhanced their routers with these functionalities. A firewall is an Internet security appliance designed to screen traffic coming into and out of a network location. A virtual private network provides a secure connection through a public network such as the Internet, between two or more distant network appliances using virtual private networking technology.
High availability is of paramount concern for security devices. Conventional security devices use redundancy to ensure that the system remains available even when one security device fails. Typically, one security device in a redundancy cluster actively process all the production traffic for the cluster while other security devices in the cluster remain on stand-by, poised to take over if needed, but not sharing any of the processing burden. Also, conventional recovery protocols are stateless—i.e. the state of active connections is lost when a device fails. Accordingly, at the time for transition from an active device to another device in a cluster, state information must be rebuilt by the new active device.
In order to achieve high availability, the network security system must be able to respond quickly to device failures without compromising throughput and without service interruption.