- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
Packet classification and inspection - categorizing packets into flows and checking headers to determine how to handle data blocks - are essential for services processing. Traditional routers classify packets by checking their headers against access control lists (ACL ) to determine where the packets should go next. But without ACL uniformity for different services, one packet must be classified and inspected multiple times.
Today, vendors are consolidating multiple services onto a single device, yet these devices still classify packets one service at a time. As a result, consolidated devices incur more processing inefficiencies and overhead with every additional service. Single-pass classification and inspection can overcome these problems and increase CPU efficiency by classifying packets for all services in a single pass.
At the heart of one-pass packet classification is a single, flexible, extensible syntax that administrators can use to define a common classification and specify policies for all services, down to an application's payload level. This syntax also can define complex classifications for QoS, anti-virus, VoIP and other applications - something older syntaxes cannot do.
For single-pass packet classification to work well, packets must flow through a multi-function services gateway in a certain order to ensure that all services are performed at the correct points. In multiple-pass classification, services gateways send a packet first to a router, where the first classification occurs, but this exposes the router to denial-of-service attacks or other security problems. Once the packet leaves the router and goes to a firewall, it is classified again, and so on for every service in the consolidated device.This uses up CPU cycles, increases system latency and introduces more possibilities for errors.
With single-pass packet classification, a packet enters a firewall first, thus protecting all other services in a gateway. In the firewall, the IPSec service decrypts and classifies the packet - just once, using the common classification - and attaches a tag that contains information about which services need to process the packet. The packet then passes to a filter in the services gateway that accepts or denies it based on information in the tag.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Simplify Your Branch Infrastructure
Learn how to simplify your branch infrastructure while dramatically increasing app performance with Citrix Branch Repeater.
Download the Free Info Kit
Next-Gen Load Balancing
Free Guide: "Next Gen Load Balancing: 8 Things You Need to Handle Today's Network Traffic" shows you the functionality needed in your next load balancer.
Download the Free Guide
Accelerate Your Web Apps by up to 5x
Free Guide: "The Secret to Getting Maximum Speed from your Web Applications." Learn how you can deliver Web apps up to 5x faster.
Download the Free Guide
Comment