A middlebox or network device is a computer network device that transforms, inspects, filters, or manipulates traffic for purposes other than packet forwarding. Common examples of middleboxes include firewalls, which filter out malicious or unwanted traffic, and network address translators, which modify the source and destination addresses of packets. Dedicated middlebox hardware is widely deployed in enterprise networks to improve network performance and security; however, even home network routers often have built-in firewall, NAT, or other middlebox functionality. The widespread deployment of middleboxes and other network devices has led to some challenges and criticisms due to poor interaction with higher layer protocols.
Some middle boxes interfere with application functionality, restricting or preventing applications on the end host from working properly. In particular, network address translators present a challenge in that NAT devices divide traffic destined for a public IP address among multiple receivers. When connections between a host on the Internet and a host behind NAT are initiated by the host behind NAT, NAT learns that the traffic for that connection belongs to the local host. Therefore, when traffic from the Internet is destined for the public address on a particular port, NAT can direct the traffic to the appropriate host.
However, connections initiated by a host on the Internet offer NAT no opportunity to learn which internal host the connection belongs to. Also, the internal host may not even know its own public IP address to advertise to potential customers which address to connect to. To solve this problem, several new protocols have been proposed.
One of the criticisms of middleboxes is that they can limit the choice of transport protocols, thus limiting application or service designs. Middleboxes can filter or remove traffic that does not conform to expected behaviors, so new or unusual protocols or protocol extensions can be filtered. Specifically, because middle boxes make hosts in private address domains unable to “pass identifiers that allow other hosts to communicate with them,” it has hampered the spread of newer protocols such as Session Initiation Protocol (SIP). as well as various peer-to-peer systems. This progressive reduction in flexibility has been described as protocol ossification.
See also:
Sandboxing , How this security technique is useful
Differences between switch, hub and router devices
