Regional firewall clustering in a networked computing environment

US 10,237,238 B2
Filed: 11/09/2017
Issued: 03/19/2019
Est. Priority Date: 06/07/2013
Status: Active Grant

First Claim

Patent Images

1. A method for managing a firewall cluster in a networked computing environment, comprising the computer-implemented steps of:

defining a cluster delay interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster;

receiving a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state;

reading a session state table to determine that there does not exist a session state match based on the source and the destination;

in response to the packet being allowed by a regional policy, buffering the packet for a duration of the cluster delay interval;

determining whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and

when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forwarding the packet to the destination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach for regional firewall clustering for optimal state-sharing of different sites in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, each firewall in a given region is informed of its peer firewalls via a registration process with a centralized server. Each firewall opens up an Internet protocol (IP)-based communication channel to each of its peers in the region to share state table information. This allows for asymmetrical firewall flows through the network and allows routing protocols to ascertain the best path to a given destination without having to take firewall placement into consideration.

35 Citations

View as Search Results

20 Claims

1. A method for managing a firewall cluster in a networked computing environment, comprising the computer-implemented steps of:
- defining a cluster delay interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster;
  
  receiving a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state;
  
  reading a session state table to determine that there does not exist a session state match based on the source and the destination;
  
  in response to the packet being allowed by a regional policy, buffering the packet for a duration of the cluster delay interval;
  
  determining whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and
  
  when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forwarding the packet to the destination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising the computer-implemented step of opening a communication channel between each firewall pair in the firewall cluster.
  - 3. The method of claim 2, further comprising determining an RTT value between each firewall pair in the firewall cluster using the respective communication channel.
  - 4. The method of claim 3, wherein the computer-implemented step of determining the RTT value between each firewall pair in the firewall cluster comprises pinging a respective second firewall in each firewall pair from a respective first firewall in each firewall pair.
  - 5. The method of claim 1, further comprising the computer-implemented step of updating the session state table with session state information related to the source and the destination.
  - 6. The method of claim 1, wherein the networked computing environment is a cloud computing environment.
  - 7. The method of claim 1, wherein when the session state information arrives from the second firewall after the expiration of the cluster delay interval, rejecting the packet.
  - 8. The method of claim 1, wherein a solution service provider provides a computer infrastructure operable to perform the method for one or more consumers.

9. A system for correcting non-compliant source code, comprising:
- a memory medium comprising program instructions;
  
  a bus coupled to the memory medium; and
  
  a processor, for executing the program instructions, which causes the system to;
  
  define a cluster delay interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster;
  
  receive a packet at a first firewall in the firewall cluster between a source and a destination, wherein the packet has an unknown session state;
  
  read a session state table to determine that there does not exist a session state match based on the source and the destination;
  
  in response to the packet being allowed by a regional policy, buffer the packet for a duration of the cluster delay interval;
  
  determine whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and
  
  when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forward the packet to the destination.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, the memory medium further comprising instructions for causing the system to open a communication channel between each firewall pair in the firewall cluster.
  - 11. The system of claim 10, the memory medium further comprising instructions for causing the system to determine an RTT value between each firewall pair in the firewall cluster using the respective communication channel.
  - 12. The system of claim 11, the memory medium further comprising instructions for causing the system to determine the RTT value between each firewall pair in the firewall cluster comprises pinging a respective second firewall in each firewall pair from a respective first firewall in each firewall pair.
  - 13. The system of claim 9, the memory medium further comprising instructions for causing the system to update the session state table with session state information related to the source and the destination.
  - 14. The system of claim 9, wherein the networked computing environment is a cloud computing environment.

15. A computer program product for managing a firewall cluster in a networked computing environment, the computer program product comprising a computer readable hardware storage device, and program instructions stored on the computer readable storage media, to:
- define a cluster delay interval as a highest round trip time (RTT) value among a set of firewall pairs in a firewall cluster;
  
  receive a packet at a first firewall in the firewall duster between a source and a destination, wherein the packet has an unknown session state;
  
  read a session state table to determine that there does not exist a session state match based on the source and the destination;
  
  in response to the packet being allowed by a regional policy, buffer the packet for a duration of the cluster delay interval;
  
  determine whether session state information arrives from a second firewall prior to expiration of the cluster delay interval; and
  
  when the session state information arrives from the second firewall prior to the expiration of the cluster delay interval, forward the packet to the destination.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, the computer readable hardware storage device further comprising instructions to open a communication channel between each firewall pair.
  - 17. The computer program product of claim 16, the computer readable hardware storage device further comprising instructions to determine an RTT value between each firewall pair using an appropriate communication channel.
  - 18. The computer program product of claim 17, the computer readable hardware storage device further comprising instructions to determine the RTT value between each firewall pair comprises pinging a respective second firewall in each firewall pair from a respective first firewall in each firewall pair.
  - 19. The computer program product of claim 15, the computer readable hardware storage device further comprising instructions to update the session state table with session state information related to the source and destination.
  - 20. The computer program product of claim 15, wherein the networked computing environment is a cloud computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Floyd, III, Robert K., Mandalia, Baiju D., Monaco, Robert P., Viswanathan, Mahesh
Primary Examiner(s)
Edwards, Linglan E

Application Number

US15/808,034
Publication Number

US 20180069833A1
Time in Patent Office

495 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/0864   Round trip delays

H04L 47/283   in response to processing d...

H04L 47/32   by discarding or delaying d...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 67/5681   Pre-fetching or pre-deliver...

Regional firewall clustering in a networked computing environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Regional firewall clustering in a networked computing environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links