1. Field of Invention
Embodiments of the invention relate in general to filtering of data packets over network security devices in a communication network. More specifically, the embodiments of the invention relate to methods and systems for enhancing the performance of network security devices.
2. Description of the Background Art
In the field of packet-switched network devices, different security technologies such as VPN, SSL, Firewall, IDS, TLS, IPS and content filtering, are merging into a single platform. Therefore, the operations that used to be performed at the various network security devices to each of the data packets being transmitted are now performed in a single device.
Network security devices maintain information relating to various network connections, in the form of per-connection objects. First, network connections are filtered through a classification engine that determines which functionalities (also called plug-in modules, applications or operations) need to be applied to packets belonging to a connection. This decision is then stored in a connection object as a control key. A dispatcher unit processes the control key and sends the packets to the required applications, either in the order specified by the control key or in a given coded order (as programmed by the engineer who developed the device).
It is known that data packets may be dropped in a security device based on any arbitrary policies. Early detection of such to-be-dropped data packets results in an increase in the device's performance. Once a data packet is tagged to be dropped, its further processing becomes redundant, thereby improving performance.
In conventional techniques, the order in which security operations are placed is static, aimed to maximize throughput of the network security devices, and is based on empirical or design analysis. These include the ordering of various security operations, based on a general traffic pattern assumed or studied by the network security device developer engineer. However, they do not adapt to the specific network traffic pattern.
Further, several low-level programming techniques, such as parallelism and compiler optimization, are also available to maximize the performance of network security devices. However, they do not provide a dynamic method for improving this performance.
Additionally, the performance of the network security devices can be improved by using techniques such as Random Early Detection (RED). RED uses a statistical approach to dropping attacking packets in different network connections, based on the bandwidth of each connection. However, it does not use any feedback from the dropped-packet counter-analysis, to improve the performance.
To summarize, in conventional techniques, the performance of network security devices is statically controlled; and in terms of throughput, is limited by CPU processing power. The performance may potentially be improved if there is a high load of attacking packets. These malicious packets, if detected by the security device policies, can be dropped earlier than legitimate packets, hence saving CPU processing power for the processing of additional packets. Further, conventional techniques may not be able to identify the attacking packets early enough so as to skip redundant processing and save CPU processing cycles.