At 702, a first packet of a data flow may be received. The first packet may be received by a router, such as a PE router or a CE router. At 704, it may be determined whether the data flow is unknown or new. The router may make this determination, which may include determining whether flow criteria extracted from the data flow matches an entry in a router data flow list. The extraction may be performed by a match logic unit within the router. The router data flow list may be implemented using a data memory or a data cache, such as a content-addressable memory (CAM) or a TCAM.

At 706, the first data packet may be routed to a firewall. The routing may be determined by a default flow entry list, which may facilitate the routing of data packets to two or more firewalls communicatively coupled to the router. The connection between the router and the firewall may be of any suitable type for data packets, including but not limited to an IP link. At 708, the first data packet may be validated or authorized. The validation or authorization may be performed by the firewall, which may include logic tailored for identification and validation of a data flow to protect a network. The firewall may be a stateless firewall or a stateful firewall. A stateless firewall may validate each traffic or data packet separately and may only validate each traffic based on the header of the traffic. A stateful firewall may validate a data flow rather than each traffic separately, and may perform the validation based on both the header of the traffic and the contents of the traffic.