Network security accelerator

US 20020108059A1
Filed: 03/01/2001
Published: 08/08/2002
Est. Priority Date: 03/03/2000
Status: Abandoned Application

First Claim

Patent Images

1. A network processing system connected to a network that carries data in packet format, comprising:

a security accelerator having a processor programmed to receive packets from the network and to examine each packet to determine whether data in the packet represents a potential security violation;

at least one processing unit programmed to respond to requests contained within the packets; and

an interconnection medium for directly connecting the security accelerator to the processing units.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network processing system uses intelligent security hardware as a security accelerator at its front end. The security hardware performs initial processing of incoming data, such as security detection tasks. The security hardware is directly connected to one or more processing units, via a bus or switch fabric, which execute appropriate applications and/or storage programming.

333 Citations

88 Claims

1. A network processing system connected to a network that carries data in packet format, comprising:
- a security accelerator having a processor programmed to receive packets from the network and to examine each packet to determine whether data in the packet represents a potential security violation;
  
  at least one processing unit programmed to respond to requests contained within the packets; and
  
  an interconnection medium for directly connecting the security accelerator to the processing units.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. The system of claim 1, wherein the processor is a network processor.
  - 3. The system of claim 1, wherein the processor is a CPU processor.
  - 4. The system of claim 1, wherein the security accelerator further has hardware logic operable in conjunction with the processor.
  - 5. The system of claim 1, wherein the interconnection medium is a bus.
  - 6. The system of claim 1, wherein the interconnection medium is a switch fabric.
  - 7. The system of claim 1, wherein the interconnection medium is shared memory.
  - 8. The system of claim 1, wherein the network is the Internet.
  - 9. The system of claim 1, wherein the network is a private network.
  - 10. The system of claim 1, wherein the security accelerator determines a potential security violation by determining whether a packet is part of a denial of service attack.
  - 11. The system of claim 1, wherein the security accelerator determines a potential security violation by determining whether a packet is part of a syn attack.
  - 12. The system of claim 1, wherein the security accelerator is further programmed to determine whether outgoing data is authorized to be sent.
  - 13. The system of claim 1, wherein the network processing system is an endpoint system.
  - 14. The system of claim 13, wherein the endpoint system is a content delivery system.
  - 15. The system of claim 1, wherein the network processing system is a client system.
  - 16. The system of claim 1, wherein the network processing system is a single chassis system.
  - 18. The method of claim 17, wherein the processor is a network processor.
  - 19. The method of claim 17, wherein the processor is a CPU processor.
  - 20. The method of claim 17, wherein the security accelerator further has hardware logic operable in conjunction with the processor.
  - 21. The method of claim 17, wherein the interconnection medium is a bus.
  - 22. The method of claim 17, wherein the interconnection medium is a switch fabric.
  - 23. The method of claim 17, wherein the interconnection medium is shared memory.
  - 24. The method of claim 17, wherein the network is the Internet.
  - 25. The method of claim 17, wherein the network is a private network.
  - 26. The method of claim 17, wherein the security accelerator determines a potential security violation by determining whether a packet is part of a denial of service attack.
  - 27. The method of claim 17, wherein the security accelerator determines a potential security violation by determining whether a packet is part of a syn attack.
  - 28. The method of claim 17, wherein the security accelerator is further programmed to determine whether outgoing data is authorized to be sent.
  - 29. The method of claim 17, wherein the network processing system is an endpoint system.
  - 30. The method of claim 17, wherein the endpoint system is a content delivery system.
  - 31. The method of claim 17, wherein the network processing system is a client system.

17. A method for processing network data at a network processing system that receives packet data via a network, comprising the steps of:
- using a security accelerator having a processor to receive packets from the network and to examine each packet to determine whether data in the packet represents a potential security violation;
  
  using at least one processing unit to respond to requests contained within the packets; and
  
  directly connecting the security accelerator to the processing unit via an interconnection medium.

32. A security accelerator device for use at a network node, comprising:
- at least one processor programmed to receive packets from the network and to examine each packet to determine whether data in the packet represents a potential security violation;
  
  an front end interface for connecting the security accelerator to a network; and
  
  a back end interface for connecting the security accelerator to an interconnection medium.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
- - 33. The device of claim 32, wherein the processor is a network processor.
  - 34. The device of claim 32, wherein the processor is a CPU processor.
  - 35. The device of claim 32, wherein the security accelerator further has hardware logic operable in conjunction with the processor.
  - 36. The device of claim 32, wherein the interconnection medium is a bus.
  - 37. The device of claim 32, wherein the interconnection medium is a switch fabric.
  - 38. The device of claim 32, wherein the interconnection medium is shared memory.
  - 39. The device of claim 32, wherein the security accelerator, the front end interface, and the back end interface are fabricated as a single circuit component.

40. A network connectable computing system providing at least some security functions in addition to system functionality, the system being configured to be connected on at least one end to a network, the system comprising:
- at least one network connection configured to be coupled to the network;
  
  at least one system processor for performing system functionality;
  
  security hardware located in a data path between the network connection and the at least one processor; and
  
  an interconnection between the at least one processor and the security hardware, wherein the security hardware off-loads at least some security functions from other system resources by analyzes data packets entering the network connectable computing system to perform security functions prior to forwarding the data packets to the remainder of the system.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 49, 50, 51, 52, 53, 54, 55, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 41. The system of claim 40 wherein the security hardware comprises a network processor.
  - 42. The system of claim 41 wherein the security functions are programmable.
  - 43. The system of claim 41, wherein the analysis of data packets comprises analyzing data packet headers.
  - 44. The system of claim 43, wherein the at least one system processor and the network processor communicate in a peer to peer environment across a distributed interconnect.
  - 45. The system of claim 44, wherein the at least one system processor comprises at least one storage processor and at least one application processor.
  - 46. The system of claim 40, wherein the network connectable computing system is a network endpoint system and the at least one system processor comprises at least one storage processor and at least one application processor.
  - 47. The system of claim 46, wherein the interconnection is a switch fabric.
  - 49. The method of claim 48 wherein the security function is to determine if the data is part of a security attack.
  - 50. The method of claim 48 wherein the security function is a filtering operation.
  - 51. The method of claim 48 wherein the security function is an authentication verification or access control list function.
  - 52. The method of claim 48, further comprising performing security functions on outgoing data packets to provide bi-directional security functionality.
  - 53. The method of claim 48 wherein the security function is performed by a network processor.
  - 54. The method of claim 53 wherein the network connectable computing system is a network endpoint system.
  - 55. The method of claim 54 wherein the network processor is programmable to allow the implementation of different security algorithms.
  - 57. The network endpoint system of claim 56, wherein the security hardware is programmable so that different security algorithms may be implemented in the security hardware.
  - 58. The network endpoint system of claim 56, wherein the at least one system processor comprises at least one storage processor and at least one application processor.
  - 59. The network endpoint system of claim 58, wherein the security hardware comprises at least one network processor.
  - 60. The network endpoint system of claim 59, wherein the network processor, the storage processor and the application processor operate in a peer to peer environment across the distributed interconnect.
  - 61. The network endpoint system of claim 60, wherein the distributed interconnect is a switch fabric.
  - 62. The network endpoint system of claim 56, wherein the network endpoint system is a content delivery system.
  - 63. The network endpoint system of claim 62 wherein:
    - the security hardware comprises at least one network processor;
      
      the at least one system processor comprises at least one storage processor and at least one application processor, the storage processor being configured to interface with a storage system; and
      
      the network processor, the storage processor and the application processor operate in a peer to peer environment across the distributed interconnect.
  - 64. The network endpoint system of claim 63 wherein the distributed interconnect is a switch fabric.
  - 65. The network endpoint system of claim 64, wherein the system is configured in a single chassis.

48. A method of operating a network connectable computing system, comprising:
- receiving data from a network;
  
  analyzing the data with programmable security hardware to decode incoming data packet headers;
  
  performing at least one security function based upon the analysis of the data packet header; and
  
  forwarding the data packet to at least one system processor through a system interconnection after performing the at least one function.

56. A network endpoint system for performing endpoint functionality, the endpoint system comprising:
- at least one system processor, the system processor performing endpoint processing functionality;
  
  a distributed interconnect coupled to the at least one system processor; and
  
  security hardware coupled to the distributed interconnect, wherein the system is configured such that a data packet from a network may be processed by the security hardware prior to being processed by the at least one system processor, and wherein the security hardware is configured to process at least a portion of the data packet to perform a security function prior to the security hardware forwarding the data packet to the distributed interconnect.

66. A method of operating a network endpoint system, comprising:
- providing a network processor within the network endpoint system, the network processor being at an interface which couples the network endpoint system to a network;
  
  processing data passing through the interface with the network processor;
  
  performing security functions as part of the processing of the network processor; and
  
  forwarding incoming network data from the network processor to a system processor which performs at least some endpoint functionality upon the data.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73, 74, 75)
- - 67. The method of claim 66 wherein the network processor rejects incoming network data which violates security algorithms and forwards incoming data which passes security algorithms to the system processor.
  - 68. The method of claim 66 wherein the network processor analyzes headers of data packets to perform the security functions.
  - 69. The method of claim 68 wherein the network processor is programmable to implement different security algorithms.
  - 70. The method of claim 68 wherein the security functions include detecting a security 70.
  - 71. The method of claim 70 wherein the security attack comprises a denial of service attack.
  - 72. The method of claim 68 wherein the security function is a filtering operation.
  - 73. The method of claim 68 wherein the security function is an authentication verification or access control list function.
  - 74. The method of claim 68, wherein the security function is performed upon outgoing data.
  - 75. The method of claim 74 wherein the security function comprises performing security functions upon both outgoing and incoming data.

76. A network connectable computing system, comprising:
- a first connection to receive data packets from a network;
  
  security hardware comprising at least one network processor, the security hardware coupled to the interface connection; and
  
  a second connection to transmit data processed by the security hardware, wherein the at least one network processor analyzes at least a portion of the data packets to perform at least one security function.
- View Dependent Claims (77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88)
- - 77. The system of claim 76, wherein the network processor analyzes headers of the data packets.
  - 78. The system of claim 76, wherein the system is an intermediate network node system.
  - 79. The system of claim 78, wherein the system is a network switch.
  - 80. The system of claim 76, wherein the system is a network endpoint system.
  - 81. The system of claim 76, wherein the system is a network endpoint system having at least one server or at least one server card coupled to the second connection.
  - 82. The system of claim 76, wherein the system is incorporated into a network interface card.
  - 83. The system of claim 81, wherein the second connection is a distributed interconnection.
  - 84. The system of claim 83, wherein the distributed interconnection is a switch fabric.
  - 85. The system of claim 76, wherein the second connection is coupled to an asymmetric multi-processing system.
  - 86. The system of claim 85, wherein the second connection is a distributed interconnection and the asymmetric multi-processing system includes a plurality of task specific processors.
  - 87. The system of claim 86, wherein the distributed interconnection is a switch fabric and the task specific processors include storage or application processors.
  - 88. The system of claim 87, wherein the task specific processors include storage and application processors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Surgient Networks, Inc. (Quest Software, Inc.)
Original Assignee
Surgient Networks, Inc. (Quest Software, Inc.)
Inventors
Wang, Ho, Canion, Rodney S., Richter, Roger K., Johnson, Scott C., Garvens, Thomas E., Bailey, Brian W.

Application Number

US09/797,411
Publication Number

US 20020108059A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 41/509   wherein the managed service...

H04L 43/00   Arrangements for monitoring...

H04L 43/0894   Packet rate

H04L 43/106   using time related informat...

H04L 43/12   Network monitoring probes

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 69/12   Protocol engines

H04L 9/40   Network security protocols

Network security accelerator

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

333 Citations

88 Claims

Specification

Solutions

Use Cases

Quick Links

Network security accelerator

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

333 Citations

88 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links