Network security is an item of great concern, one that could potentially stall the wide scale deployment of circuit switched networks in the public-private arena The present invention concerns a new apparatus for establishing network security that provides a strong degree of flow selectability without negatively impacting the performance advantages of high speed circuit switched networks.
One of the strengths of our invention is that it achieves a significant degree of security, yet does so with a low cost and complexity. An additional strength of the invention is that security can be provided for widely varying network transmission rates, from low speed narrowband ISDN operating in the range of kilobits per second to high speed broadband networks operating above gigabits per second. The flexibility is maintained while still preserving the relative low cost and complexity advantages. This is important since circuit switched networks may soon be widely deployed. This is particularly true in lower speed environments, such as residential broadband networks (RBB), where low cost is essential. RBB deployment will include not only the typical users of high-speed circuit switched networking services but will also include deployment to the home and small business. It does not matter if this "last-mile" deployment is via optical fiber, coax cable, or twisted-pair copper wire or if the service is provided by traditional telecommunications companies, cable companies, or independent service providers. The present invention can provide firewall security in all such deployments.
The terms "cell," "Protocol Data Unit (PDU)," "datagram," "frame," and "packet" are used to denote objects transmitted through the network. The context of connection-oriented or connectionless communications is implied through the terms used. The terms "packet-switched" and "circuit-switched" are used with connectionless and connection-oriented communication, respectively. "PDU" is a generic term, used for both connectionless and connection-oriented communication, which denotes an object of transfer specific to a layer of the protocol stack. Connectionless communication, such as found in the Internet Protocol (IP), provides best effort delivery of datagrams or packets. Unless otherwise noted, the terms "datagram" and "packet" are used to denote IP type of packets (network layer PDUs) that contain transport layer PDUs, such as a TCP or UDP encapsulated data segment, in their payload. The size of objects transmitted on the physical layer is limited to the Maximum Transmission Unit (MTU). The term "frame" is used to denote a link level PDUs in connection-oriented communication. The term "cell" is used to denote the segmentation of a connection-oriented link layer PDU frame into a fixed size limited by the MTU of the physical layer PDU. For example, in the Asynchronous Transfer Mode (ATM) protocol, the cell size is 53 bytes. A "flow" is a communication session between two network endpoints that can be used for the transfer of PDUs. A flow in the context of packet switching networks would be a series of related packets moving between two endpoints but in a connectionless fashion.
As an example, in a connectionless environment IP (a layer three protocol) packets are encapsulated by LLC/SNAP (a layer two protocol) for transmission across Ethernet that limits the link layer PDU to approximately 1500 bytes. IP is responsible for partitioning the data into a size suitable to the lower layers.
Note that a connection-oriented network, such as ATM, can be used to provide pathways between network elements such as endpoints and IP routers. ATM establishes layer two connectivity and allows connectionless layer three traffic such as IP.
Traditional firewalls examine every single datagram contained in a datastream. This places a heavy burden on the firewall and creates a potential bottleneck in performance. While this workload may be acceptable for lower speed packet-switched networks, it is not appropriate for higher speed circuit switched networks that are carrying an increasing share of network traffic. The cost and complexity of such systems would be prohibitive. The present invention uses an alternative firewall security method where the flow, rather than an individual packet, is validated. The primary advantage of the present invention is that it determines the suitability of flows in real-time during the initial connection negotiations. Once the suitability of a connection is established, datagrams associated with that flow are allowed to proceed through the firewall with no performance degradation. In order to understand the functionality of the firewall security apparatus for high-speed circuit switched networks (firewall), it is first necessary to briefly review circuit switched network communication and general firewall security. This discussion of circuit switched network communication focuses on aspects of the protocol components and traffic trends that pertain to the firewall implementation. The present invention provides firewall security for any circuit switched network that is signaling based and works with a multitude of hardware and software protocols. Current examples of circuit switched network protocols are Asynchronous Transfer Mode (ATM) and Frame Relay. So as to explain the present invention in pragmatic terms using the current vocabulary of the art, we provide much of the background discussion using ATM as an exemplar circuit switched network protocol.
ATM is a cell based communication protocol in which all of the data transmitted in the network are broken up into 53-byte cells. Each cell contains a 5-byte header and forty-eight bytes of payload. The source and destination of a cell are not identified in its header. Instead, the cell headers contain an identifier whose context is only defined along a single link, not end-to-end between source and destination. The cell header contains a 12-bit virtual path indicator (VPI) and a 16-bit virtual channel indicator (VCI) that assign the cell to a specific virtual data flow along a physical link between two switches. The source and destination are only identified within the body of the initial signaling messages used to create the connection. The signaling protocol defines the edge level identifiers (VCI and VPI) at each hop along the way.
ATM is circuit switched; a circuit or path must be formed between the source and the destination before any data can be transmitted. This path is formed by initiating signaling messages that pass between switches on specific VPI, VCI pairs that are reserved solely for signaling. The payload of these cells contains information about the network service access points (NAPS), the network endpoint identifiers, for the source and destination of the connection that is requested. This information allows the switches to identify an appropriate route. The signaling channel and other channels known a priori are also used to pass status and state information between the switches.
Once the connection has been established, a cell launched from a source is transported to its destination through intermediate ATM switches via hardware routing. The connection setup process sets up the route mapping, assigning an input port, input VPI, and input VCI to a respective output port, output VPI, and output VCI at each intermediate ATM switch.
Software based cell routing is not performed at intermediate ATM switches since the route has already been constructed. This allows for fast switching, since the examination and routing is performed in hardware, but it makes it difficult to identify the source and destination of the traffic. Note that a different VPI/VCI pair is observed between the source and destination along each link. Although the same VPI/VCI pair is typically used for each direction of a bi-directional flow along a given link, this is not required.
One significant advantage of the invention is that it has decoupled the functional process of cell examination from flow approval and has devised a hierarchical structure to support the interface between the two functions. This is the key to how high-speed security can be supported at such a low cost with a significant reduction in system complexity.