Enterprise networks are threatened with a variety of security issues on a daily basis. These threats can be either internal or external. Internal threats range from break in attempts by disgruntled employees, virus or worms let loose by employees or just employee network access behavior deemed unacceptable per enterprise security policies. External threats range from dedicated attacks on the enterprise network in an attempt to steal intellectual property, denial of service attacks, unauthorized intrusions, viruses and worms etc. In all of these cases, a packet firewall is a network administrator's primary form of defense.
Packet firewalls sit inline with network traffic, intercept incoming packets, and verify each packet against a set of firewall rules to accept, reject and optionally log the packet. In addition to packet filtering, network administrators sometimes also use packet filters to enforce traffic management policies. Such policies are useful in limiting or controlling offensive behavior. Due to the fact that packet firewalls sit inline with and inspect all network traffic, it is important that the firewall should be able to provide sufficient network throughput to keep up with network traffic demands. In today's enterprise networks, firewall rules are typically limited to 2500 Cisco ACL (access control list) rules These rules are fairly specific, and are designed to allow or reject specific activities or hosts. The ACL rules are limited to this number for performance and manageability reasons. The number of rules directly affects router performance, hence these rules are maintained at a low number. Moreover, large number of rules also makes rules management more error-prone and difficult to verify or modify. In a large organization, the rules are distributed across firewalls in various sites, and adapted as necessary, increasing chances of an error. For these reasons, the number of rules must be maintained at a manageable level.
Under a typical advanced firewall implementation, two levels of filtering are employed. At the first level, filtering is performed based on applicable ACL rules. In this instance, a highest-priority rule corresponding to the ACL database is identified based on the packet header information. For example, the rule may be identified based on a five-tuple input corresponding to values for the source and destination addresses, source and destination ports, and protocol using well-known classification algorithms. Since many attacks (particularly denial of service attacks) will originate from a known source address using a particular port, packets corresponding to these attacks can be readily identified, and appropriate rules (e.g., drop packet) may be employed to effect a desired firewall policy. This first level of filtering can be implemented at line-rate speeds using modern networking equipment. Under some implementations, dedicated components or separate computers are employed for performing these filtering operations.
The second level of filtering relates to packet inspection. In this case, the actual packet payload is searched for a particular string or set of strings. For example, the firewall applications may need to search for certain strings indicative of a virus or Internet worm that is present in the packet. In addition, other non-security applications may likewise need to peek into the packet payload, such as for load balancing or billing purposes. These operations, known as “content inspection” or “(deep) packet inspection,” involve inspecting the packet payload for candidate patterns and taking actions based on the presence or absence of these patterns.
Under some firewall implementations, packet/content inspection is off-loaded to a separate application or sub-system that does not support line-rate speeds. For example, these operations may be performed by a separate computer host or embedded general-purpose processor coupled to or provided by a network device. Since the operations are not performed at line-rate (and thus not restricted to corresponding processing latencies), they can employ larger but slower, less-expensive memory (e.g., DRAM (dynamic random access memory)), and employ conventional string search techniques.
Network processors (also referred to as network processor units (NPUs)) are increasingly being used in a variety of networking equipment due to their cost effectiveness, processing speed, flexibility, and upgradeability. In constructing next-generation networking platforms, it is desirable that robust firewall functionality be added without requiring the addition of specialized firewall components, instead utilizing network processor technology and adding firewall functionality to NPU code in a reusable, scaleable fashion.
Content inspection is a resource intensive activity as it involves scanning the entire packet payload for a set of patterns. The inspection algorithms consume significant amount of memory bandwidth as well as compute resources, significantly impacting overall performance. The performance of content inspection algorithms can be improved if we reduce the amount of data scanned in a packet. One technique of reducing the amount of data scanned is to use heuristics information associated with patterns. In many cases, a pattern in a packet would have special significance only if it is present in certain portion of a packet. For example, if the content inspection module is scanning for a URL, then the approximate location where the URL string would be valid in a packet can be specified a priori. The information that can be used to restrict the packet search space is offset and depth. The offset parameter indicates the starting position in the packet that a string should be searched from and the depth parameter indicates the ending position in the packet until which the string should be searched. The offset and depth are typically specified for individual strings. However, content inspection systems need to simultaneously search for multiple patterns in a packet. Under conventional techniques, this cannot be done at line-rate speeds and it scalability is limited.