A network security device may provide security functions and wireless access point capability to a local area network (e.g., currently limited to about 500 meters though in the future may be longer). The network security device may also connect the local area network to a wide area network (e.g., an Internet). As technology enables the security functions of the network security device to improve, and as wireless devices become more popular, there is a trend of separating the security functions and the wireless access point capability of the network security device into separate hardware devices (e.g., so that costs can be reduced by pooling security functions of the network security device and enabling wireless Internet access to larger geographic areas by having multiple access point devices connected to a single network security device).
Today, the network security device may offer advanced functions to client devices of the local area network such as stateful packet inspection firewall (e.g., rule checking for inbound and/or outbound access), intrusion prevention (e.g., to protect against malicious traffic), content filtering (e.g., to enforce protection and productivity policies and to block inappropriate content), network antivirus enforcement (e.g., auto-enforcement of anti-virus policy for always-on virus protection), network access translation, and/or virtual private networking. It is important that these advanced functions (e.g., and/or future advanced functions) be available in networks having separate hardware devices for security functions (e.g., the single network security device) and wireless access point capability (e.g., the shared wired or wireless access point capability (e.g., the network hubs or switches or wireless access point devices).
When multiple client devices are associated with a shared access point device, and when the multiple client devices communicate with each other (e.g., transfer files between each other, instant message each other, etc.), rather than communicate with other devices/services on the Internet, the shared access point device creates a “local bridge” (e.g., the local bridge may be a direct logical connection between multiple client devices associated with the same access point device). This prevents data from traveling up through the network and may prevent at least some latency during a communication session between multiple client devices associated with the shared access point device.
However, data is not filtered through the network security device when the network security device is a separate hardware device between the shared access point device and the wide area network. Similarly, when multiple client devices associated with different access point devices are connected to the network security device through an intermediary device (e.g., a switch), the network administrator cannot apply security policies when the multiple client devices communicate with each other, because the intermediary device will also create the local bridge and prevent packets from reaching the network security device. Consequently, security policies cannot be effectively applied to communications between certain client devices when separate hardware devices are used for security and wired or wireless access point capability (e.g., because the local bridge prevents packets from reaching the network security appliance).