Channel data encapsulation system and method for use with client-server data channels

US 10,142,356 B2
Filed: 07/29/2016
Issued: 11/27/2018
Est. Priority Date: 07/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a first security microservice, a first channel data encapsulation packet encapsulating a first encapsulation context and a first encapsulated data;

performing a security service on the first encapsulated data using the first encapsulation context, wherein the security service is one of a plurality of microservices used to secure traffic passing between applications and servers through a routing network;

receiving, by the first security microservice, a response from the second security microservice comprising a second security microservice context, a second timestamp, and a second load;

generating, by the first security microservice, a first timestamp and a first load, wherein the timestamps represent the duration of processing performed by the first and second microservices and the first and second loads represent the loading of the first and second microservices processing the encapsulated channel data, the loading being represented in either relative or absolute terms; and

transmitting, by the first security microservice, a response to the first channel data encapsulation packet, wherein the response includes the first timestamp and first load generated by the first security microservice, wherein the timestamp and load values are recorded to be used in load balancing decisions for future security service requests among microservices; and

wherein the first and second security microservices are implemented with computer-readable instructions stored in memory on a network security server, the memory coupled to one or more hardware processors executing the first and second security microservices.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed that relate to network security to monitor and report threats in network traffic of a datacenter. For example, one embodiment discloses a method of receiving, by a first security microservice, a first channel data encapsulation packet encapsulating a first encapsulation context and a first encapsulated data, performing a security service on the first encapsulated data using the first encapsulation context, transmitting by the first security microservice a second channel data encapsulation packet to a second security microservice, wherein the second channel encapsulation packet comprises a request for security services, receiving by the first security microservice a response from the second security microservice comprising a second security microservice context, a second security microservice timestamp, and a second security microservice load. The first security microservice further generates a timestamp and a load included in a response to the first channel data encapsulation packet.

20 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, by a first security microservice, a first channel data encapsulation packet encapsulating a first encapsulation context and a first encapsulated data;
  
  performing a security service on the first encapsulated data using the first encapsulation context, wherein the security service is one of a plurality of microservices used to secure traffic passing between applications and servers through a routing network;
  
  receiving, by the first security microservice, a response from the second security microservice comprising a second security microservice context, a second timestamp, and a second load;
  
  generating, by the first security microservice, a first timestamp and a first load, wherein the timestamps represent the duration of processing performed by the first and second microservices and the first and second loads represent the loading of the first and second microservices processing the encapsulated channel data, the loading being represented in either relative or absolute terms; and
  
  transmitting, by the first security microservice, a response to the first channel data encapsulation packet, wherein the response includes the first timestamp and first load generated by the first security microservice, wherein the timestamp and load values are recorded to be used in load balancing decisions for future security service requests among microservices; and
  
  wherein the first and second security microservices are implemented with computer-readable instructions stored in memory on a network security server, the memory coupled to one or more hardware processors executing the first and second security microservices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first channel data encapsulation packet to contain an encapsulation identifier to distinguish a data channel associated with the first data channel encapsulation packet within a network environment.
  - 3. The method of claim 2, wherein the first channel data encapsulation packet to contain an encapsulation header.
  - 4. The method of claim 3, wherein the encapsulation header to define a location within the first channel data encapsulation packet of the first encapsulation context and a first encapsulation service load.
  - 5. The method of claim 4, wherein the encapsulation header further to define a timestamp, and wherein the first security microservice to record the second security microservice timestamp and the second security microservice load.
  - 6. The method of claim 3, wherein the first channel data encapsulation packet further to include an encapsulation checksum.
  - 7. The method of claim 6, wherein calculating the encapsulation checksum to use the encapsulation identifier and the encapsulation header.

8. A system comprising:
- a memory; and
  
  a processor to execute instructions to implement a first security microservice, the first security microservice to;
  
  receive a first channel data encapsulation packet encapsulating a first encapsulation context and a first encapsulated data;
  
  perform a security service on the first encapsulated data using the first encapsulation context, wherein the security service is one of a plurality of microservices used to secure traffic passing between applications and servers through a routing network;
  
  transmit a second channel data encapsulation packet to a second security microservice, wherein the second channel data encapsulation packet comprises a request for security services;
  
  receive a response from the second security microservice comprising a second security microservice context, a second timestamp, and a second load;
  
  generate a first timestamp and a first load, wherein the timestamps represent the duration of processing performed by the first and second microservices and the loads represent the loading of the first and second microservices processing the encapsulated channel data, the loading being represented in either relative or absolute terms; and
  
  transmit a response to the first channel data encapsulation packet, the response including the first timestamp and first load, wherein the timestamp and load values are recorded to be used in load balancing decisions for future security service requests among microservices, andwherein the first and second security microservices are implemented with computer-readable instructions stored in memory on a network security server, the memory coupled to one or more hardware processors executing the first and second security microservices.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8,wherein the first channel data encapsulation packet to contain an encapsulation identifier to distinguish a data channel associated with the first data channel encapsulation packet within a network environment.
  - 10. The system of claim 9,wherein the first channel data encapsulation packet to contain an encapsulation header.
  - 11. The system of claim 10, wherein the encapsulation header to define a location within the first channel data encapsulation packet of the first encapsulation context and a first encapsulation service load.
  - 12. The system of claim 11, wherein the encapsulation header further to define a timestamp.
  - 13. The system of claim 10, wherein the first channel data encapsulation packet further to include an encapsulation checksum.
  - 14. The system of claim 13, wherein the first security microservice to use the encapsulation identifier and the encapsulation header when calculating the encapsulation checksum.
  - 15. The system of claim 8, wherein the first security microservice to record the second security microservice timestamp and the second security microservice load.

16. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method comprising:
- receiving, by a first security microservice, a first channel data encapsulation packet encapsulating a first encapsulation context and a first encapsulated data;
  
  performing a security service on the first encapsulated data using the first encapsulation context, wherein the security service is one of a plurality of microservices used to secure traffic passing between applications and servers through a routing network;
  
  transmitting, by the first security microservice, a second channel data encapsulation packet to a second security microservice, wherein the second channel data encapsulation packet comprises a request for security services;
  
  receiving by the first security microservice a response from the second security microservice comprising a second security microservice context, a second timestamp, and a second load;
  
  generating, by the first security microservice, a first timestamp and a first load, wherein the timestamps represent the duration of processing performed by the first and second microservices and the first and second loads represent the loading of the first and second microservices processing the encapsulated channel data, the loading being represented in either relative or absolute terms; and
  
  transmitting, by the first security microservice, a response to the first channel data encapsulation packet, wherein the response includes the first timestamp and first load generated by the first security microservice, wherein the timestamp and load values are recorded to be used in load balancing decisions for future security service requests among microservices; and
  
  wherein the first and second security microservices are implemented with computer-readable instructions stored in memory on a network security server, the memory coupled to one or more hardware processors executing the first and second security microservices.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable medium of claim 16, wherein the first channel data encapsulation packet to contain an encapsulation identifier to distinguish a data channel associated with the first data channel encapsulation packet within a network environment.
  - 18. The non-transitory computer-readable medium of claim 16, wherein the first channel data encapsulation packet to contain an encapsulation header.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the encapsulation header to define a location within the first channel data encapsulation packet of the first encapsulation context and the first encapsulation data.
  - 20. The non-transitory computer-readable medium of claim 18, wherein the encapsulation header further to define a timestamp.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
ShieldX Networks, Inc. (Fortinet Inc.)
Inventors
Ahuja, Ratinder Paul Singh, Nedbal, Manuel
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/224,339
Publication Number

US 20180034833A1
Time in Patent Office

851 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2221/2151   Time stamp

H04L 2212/00   Encapsulation of packets

H04L 45/123   Evaluation of link metrics ...

H04L 45/124   using a combination of metrics

H04L 45/125   based on throughput or band...

H04L 45/30   Routing of multiclass traffic

H04L 63/0428   wherein the data content is...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/1001   for accessing one among a p...

Channel data encapsulation system and method for use with client-server data channels

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Channel data encapsulation system and method for use with client-server data channels

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links