As the Internet becomes more ubiquitous, the network becomes increasingly vulnerable to overload and misuse. The need to control access to Internet services and to control the Wide Area Network (WAN) bandwidth leads to need for firewalls and quality of service (QoS) based networks. In addition, lack of ample public IP (Internet Protocol) addresses and a need to secure private networks from outside networks lead to Network Address Translation (NAT).
A number of new Internet based protocols has been developed to support a wide range of applications and services. Each of these new protocols brings with it usability issues and security concerns, especially for enterprises that want to gain the obvious advantages by being part of the Internet but at the same time protect their internal computing and data resources. Hence, it is increasingly desirable to inspect and authorize all data traffic flowing into and out of enterprise networks. This typically requires the enterprise or carrier firewall to recognize the various protocols in the Internet traffic flowing through it and apply the appropriate security policy on the traffic. However, recognizing the various protocols presents serious challenges.
Many IP based protocols can be identified just by looking at the transport layer (layer 4) information (e.g., TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) port number). However, many newer protocols do not just use one port. Instead, they dynamically allocate ports and use them. Examples of such protocols are File Transfer Protocol (FTP) and H.323 series of ITU (International Telecommunications Union) protocols.
Many of the Internet Protocols also have an associated set of subsidiary channels in addition to the main channel, through which communication takes place between two network nodes. Such usage can be found, for example, in H.323 and FTP. Such channels need to be statefully identified to operate the firewall safely and they should be closed when the main channel closes.
Additionally, to conserve IP addresses and to protect private addresses of enterprises, Network Address Translation (NAT) can be used. Use of NAT in a device may add more requirements, because some of the protocols send IP address (layer 3) and port (layer 4) information within the application data (layer 7). Thus the layer 7 information should be transformed appropriately on two (public and private) sides of the device.
Further, usage of NAT may cause many applications to stop working across platform, unless the device which does the NAT operation also does the address translation in the application layer in addition to the network layer. For example, FTP provides such changes in the application layer information, where the dynamic data channel is negotiated in the application layer.
Conventional protocol classification systems typically suffer from lack of standards on one or more of: 1) representation of abstract information, such representation typically being left as programmer's choice; 2) representation of the state information; 3) storage of protocol classification tree which can be dynamically modified; 4) storage of policies and their linkage to the protocol classification tree; 5) a practical application programmer interface to manage the firewall, NAT and QoS; and 6) a way to handle complex protocols such as H.323 with the above features.
Therefore, it is desirable to provide a method and apparatus for classifying PDUs based on hierarchical protocol classification, while providing support for NAT, firewall decisions and QoS tagging.