A conventional firewall is a means by which computer communication traffic is regulated. It is designed to block unauthorized access to a computer or computer network while allowing the computer or computer network to communicate outwardly to other computers and other computer networks. A conventional firewall may be categorized as being a hardware firewall when implemented with a separate dedicated network device or as a software firewall when executed by software. The conventional firewall is often combined with a router device.
FIG. 1 (Background) is a conceptual diagram of a network 100, including a conventional firewall 110. The conventional firewall 110 is coupled between the Internet 105 and a local area network (LAN), including a server 115 and computers 102A-102N. The conventional firewall 110 is a network security device that grants or rejects network access to traffic flows between an untrusted zone (e.g., the Internet 105) and a trusted zone (e.g., a private or corporate network). In this example, the trusted zone includes server 115 and computers 102A-102N. The conventional firewall 110 acts as the demarcation point or “traffic cop” in the network 100, as all communication should flow through the firewall 110. The firewall 110 is where traffic is granted or rejected access.
Conventional firewalls enforce access controls through a positive control model, which states that only traffic defined in the firewall policy is allowed onto the network; all other traffic is denied (known as “default deny”). The conventional firewall aggressively analyzes incoming computer communication traffic. The incoming and outgoing computer communication traffic with a local network is often referred to as north-south traffic. The device-to-device or computer to computer traffic within a local computer network, commonly referred to as east-west traffic, is not analyzed by the conventional router.
Conventional firewalls do not protect local area networks from internal attacks. When seen from the view of a conventional firewall at the entry point or perimeter of a local area network, every computer and server on the internal local area network is a trusted computer. The internal computer communication traffic within a trusted local area network is not seen by the hardware firewall. Accordingly, the traditional firewall at the entry point does not filter internal computer communication traffic and thus cannot protect computers on a local area network from an internal threat.
Multiple firewalls may be used within a local area network, subdividing the firewall into smaller local area subnetworks that are protected from each other. However, such an infrastructure is overly expensive. Moreover, different policies are often applied to each of the firewalls, thereby increasing the complexity of administration and the load of filtering packets within the network.
Each computer 102A-102N in a local area network may additionally have its own software firewall that is part of the computer operating system and is executed to further deny or allow packets to enter a client computer or a computer server. However, each software firewall also requires tedious configuration as to the type of packets, or software application that is going to be used. Users often turn off the software firewall on their computers within the local area network in order for software applications to function with servers outside the network, defeating the purpose of the software firewall. Oftentimes, users are unaware of the software firewall and never turn them on to protect their client computer.
Protecting each and every computer server in a data center, including virtual servers, further complicates matters with regards to software firewalls. Certain computer servers in a data center often want to be protected and firewalled from other computer servers in the same data center and not just the internet.
Furthermore, setting up each and every software firewall for each and every computer server in a data center is rather tedious. Virtual machines or servers can readily come online within a hardware computer server, requiring setup of the software firewall before it can be used.
Additionally, software firewalls tend to become network bottlenecks. Due to the increasing speed of networks, amount of data passing through, and the complexity of protocols that firewalls must support, software firewalls are more likely to be the congestion points of networks.