System and apparatus for providing network security

US 10,601,873 B2
Filed: 10/24/2017
Issued: 03/24/2020
Est. Priority Date: 03/17/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

rule engine hardware configured to receive data flows between a network and an application, said rule engine being provided between said network and said application, said rule engine being configured to;

parse frames of the received data flows,determine a match of one or more frames of one of the received data flows to data flow information stored by the rule engine, andin response to the determined match, perform an action with respect to said one of the received data flows, said rule engine being associated with at least one first key; and

controller hardware configured to provide control information to said rule engine to define one or more actions which are to be performed with respect to one or more of said received data flows, said controller being associated with at least one second key;

a first data store comprising said at least one first key; and

a second data store comprising said at least one second key,wherein said at least one first key and said at least one second key are used to encrypt at least one communication between said rule engine and said controller resulting in at least one communication between said rule engine and said controller being secure.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A rule engine receives data flows. The data flows are between a network and an application. The rule engine determines data flow information and in dependence on the information performs an action with respect to said flow. A controller provides control information to the rule engine to define one or more actions. The communications between said rule engine and said controller are secure.

Citations

30 Claims

1. A system comprising:
- rule engine hardware configured to receive data flows between a network and an application, said rule engine being provided between said network and said application, said rule engine being configured to;
  
  parse frames of the received data flows,determine a match of one or more frames of one of the received data flows to data flow information stored by the rule engine, andin response to the determined match, perform an action with respect to said one of the received data flows, said rule engine being associated with at least one first key; and
  
  controller hardware configured to provide control information to said rule engine to define one or more actions which are to be performed with respect to one or more of said received data flows, said controller being associated with at least one second key;
  
  a first data store comprising said at least one first key; and
  
  a second data store comprising said at least one second key,wherein said at least one first key and said at least one second key are used to encrypt at least one communication between said rule engine and said controller resulting in at least one communication between said rule engine and said controller being secure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system as claimed in claim 1, wherein said controller is configured to receive information from said rule engine about said data flows.
  - 3. The system as claimed in claim 1, wherein at least one of said first and second data stores comprises a one time programmable memory.
  - 4. The system as claimed in claim 1, wherein at least one of said first and second data stores comprises a hardware security module.
  - 5. The system as claimed in claim 1, whereinat least one of said first and second key is stored in at least one of said first and second data store at manufacture.
  - 6. The system as claimed in claim 1, wherein at least one of said rules engine and said controller is configured to receive a message from a trusted authority and to verify said message using a respective key of said at least one first key and said at least one second key.
  - 7. The system as claimed in claim 6, wherein the message received by the controller comprises a public key associated with said at least one first key and the message received by the rule engine comprises at least one public key associated with the at least one second key.
  - 8. The system as claimed in claim 1, wherein one of said rules engine and said controller is configured to send a message to the other of said rules engine and said controller, said message encrypted by a public key and signed with a private key of said one of said rules engine and said controller, said message comprising a further key to use for further secure communications between the rules engine and the controller.
  - 9. The system as claimed in claim 1, wherein said rule engine is provided in a first trusted domain and said controller is provided in a second trusted domain, different to the first domain.
  - 10. The system as claimed in claim 1, wherein said controller is provided in a trusted virtual machine.
  - 11. The system as claimed in claim 1, wherein said rules engine is provided in a network interface device.
  - 12. The system as claimed in claim 1, wherein said rules engine is provided in a hypervisor.
  - 13. The system as claimed in claim 1, wherein a plurality of rules engines are provided.
  - 14. The system as claimed in claim 1, wherein said data flow information comprises header information.
  - 15. The system as claimed in claim 1, wherein the rules engine comprises an execution block configured to perform said at least one action defined by a rule and update information in a data store of said rules engine.
  - 16. A system as claimed in claim 1, wherein said at least one first key and said at least one second key comprise a shared key.
  - 17. A system as claimed in claim 1, wherein said at least one first key and said at least one second key are different.
  - 18. A system as claimed in claim 1, wherein the rule engine hardware comprises a processor in communication with a memory, the memory including code portions which provide the rule engine when executed by the processor.
  - 19. A system as claimed in claim 1, wherein the controller hardware comprises a processor in communication with a memory, the memory including code portions which provide the controller when executed by the processor.

20. A system comprising:
- rule engine hardware configured to receive data flows between a network and an application, said rule engine being provided between said network and said application, said rule engine having a first data store comprising at least one first key, said rule engine being configured to;
  
  parse frames of the received data flows,determine a match of one or more frames of one of the received data flows to data flow information stored by the rule engine, andin response to the determined match, perform an action with respect to said one of the received data flows, said rule engine configured to receive control information from a controller defining one or more of said actions which are to be performed with respect to one or more of said received data flows,wherein said at least one first key is used to encrypt at least one communication between said rule engine and said controller resulting in said at least one communication between said rule engine and said controller being secure,wherein the system is a network interface device.
- View Dependent Claims (21)
- - 21. A system as claimed in claim 20, wherein the rule engine hardware comprises a processor in communication with a memory, the memory including code portions which provide the rule engine when executed by the processor.

22. A system comprising:
- controller hardware, said controller configured to provide control information to a rule engine in a network interface device to define one or more actions, the rule engine configured to receive data flows between a network and an application and to perform one or more of said actions with respect to one of the received data flows in response to determining a match of one or more frames of the one of the received data flows to data flow information stored by the rule engine, said controller having a second data store comprising at least one second key,wherein said at least one second key is used to encrypt at least one communication between said rule engine and said controller resulting in said at least one communication between said rule engine and said controller being secure,wherein the system is a server apparatus.
- View Dependent Claims (23)
- - 23. A system as claimed in claim 22, wherein the controller hardware comprises a processor in communication with a memory, the memory including code portions which provide the controller when executed by the processor.

24. A computer program product, the computer program product being embodied on a non-transient computer-readable medium and including software code portions which when executed on a processor provide a rule engine which:
- receives data flows, said data flows being between a network and an application;
  
  parses frames of the received data flows;
  
  determines a match of one or more frames of one of the received data flows to data flow information stored by the rule engine;
  
  in response to the determined match, performs an action with respect to said one of the received data flows; and
  
  receives control information from a controller defining one or more of said actions to be performed with respect to one or more of said received data flows, said rule engine having a first data store comprising at least one first key,wherein said at least one first key is used to encrypt at least one communication between said rule engine and said controller resulting in said at least one communication between said rule engine and said controller being secure.

25. A computer program product, the computer program product being embodied on a non-transient computer-readable medium and configured so as when executed on a processor to provide a controller which:
- provides control information to a rule engine in a network interface device to define one or more actions, the rule engine configured to receive data flows between a network and an application and to perform one or more of said actions with respect to one of the received data flows in response to determining a match of one or more frames of the one of the received data flows to data flow information stored by the rule engine, said controller having a second data store comprising at least one second key,wherein said at least one second key is used to encrypt at least one communication between said rule engine and said controller resulting in said at least one communication between said rule engine and said controller being secure.

26. A system comprising:
- rule engine hardware configured to;
  
  receive data flows, said data flows being between a network and an application;
  
  parse frames of the received data flows; and
  
  determine a match of one or more frames of one of the received data flows to data flow information stored by the rule engine,said rule engine being provided between said network and said application, said rule engine being configured to, in response to the determined match perform an action with respect to said one of the received data flows, receive control information from a controller defining one or more of said actions which are to be performed with respect to one or more of said received data flows, said rule engine having a first data store comprising at least one first key,wherein said at least one first key is used to encrypt at least one communication between said rule engine and said controller resulting in said at least one communication between said rule engine and said controller being secure,wherein the system is a firewall device.
- View Dependent Claims (27)
- - 27. A system as claimed in claim 26, wherein the rule engine hardware comprises a processor in communication with a memory, the memory including code portions which provide the rule engine when executed by the processor.

28. A system comprising:
- rule engine hardware configured to;
  
  receive data flows, said data flows being between a network and an application;
  
  parse frames of the received data flows;
  
  determine a match of one or more frames of one of the received data flows to data flow information stored by the rule engine,said rule engine being provided between said network and said application, said rule engine being configured to, in response to the determined match, perform an action with respect to said one of the received data flows, said rule engine configured to receive control information from a controller defining one or more of said actions which are to be performed with respect to one or more of said received data flows, said rule engine having a first data store comprising said at least one first key,wherein said at least one first key is used to encrypt at least one communication between said rule engine and said controller resulting in said at least one communication between said rule engine and said controller being secure,wherein the system is a switch.
- View Dependent Claims (29)
- - 29. A system as claimed in claim 28, wherein the rule engine hardware comprises a processor in communication with a memory, the memory including code portions which provide the rule engine when executed by the processor.

30. A system comprising:
- a hardware device configured to provide a hypervisor comprising a rule engine configured to;
  
  receive data flows, said data flows being between a network and an application;
  
  parse frames of the received data flows; and
  
  determine a match of one or more frames of one of the received data flows to data flow information stored by the rule engine,said rule engine being provided between said network and said application, said rule engine being configured to in response to the determined match, perform an action with respect to said one of the received data flows, said rule engine configured to receive control information from a controller defining one or more of said actions which are to be performed with respect to one or more of said received data flows, said rule engine having a first data store comprising said at least one first key,wherein said at least one first key is used to encrypt at least one communication between said rule engine and said controller resulting in said at least one communication between said rule engine and said controller being secure,wherein the system is a data processing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xilinx, Inc. (Advanced Micro Devices, Inc.)
Original Assignee
Xilinx, Inc. (Advanced Micro Devices, Inc.)
Inventors
Pope, Steven L., Riddoch, David J., Roberts, Derek
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/792,481
Publication Number

US 20180063197A1
Time in Patent Office

882 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/06   for supporting key manageme...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

System and apparatus for providing network security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and apparatus for providing network security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links