Distributed network security system and a hardware processor therefor

US 20040165588A1
Filed: 02/20/2004
Published: 08/26/2004
Est. Priority Date: 06/11/2002
Status: Active Grant

First Claim

Patent Images

1. A security system comprising a network, said network comprising one or more networked systems of one or more types, a plurality of said one or more networked systems comprising a hardware processor providing transport layer protocol processing, said hardware processor comprising a protocol processing engine to do transport layer protocol processing;

or a programmable rule processing engine to analyze network traffic for rule matching or taking actions on matched rules or a combination thereof;

or a security processing engine to do encryption, decryption, authorization or authentication or a combination thereof using standard or proprietary security protocols;

or a packet classification engine to classify the network traffic;

or a packet processing engine to perform packet processing tasks;

or a combination of any of the foregoing, said security system providing multiple protocol layer security in said network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An architecture provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol layer and may also provide packet inspection through Layer 7. A set of engines may perform pass-through packet classification, policy processing and/or security processing enabling packet streaming through the architecture at nearly the full line rate. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database for a certain number of active sessions. The session information that is not in the internal memory is stored and retrieved to/from an additional memory. An application running on an initiator or target can in certain instantiations register a region of memory, which is made available to its peer(s) for access directly without substantial host intervention through RDMA data transfer. A security system is also disclosed that enables a new way of implementing security capabilities inside enterprise networks in a distributed manner using a protocol processing hardware with appropriate security features.

597 Citations

27 Claims

1. A security system comprising a network, said network comprising one or more networked systems of one or more types, a plurality of said one or more networked systems comprising a hardware processor providing transport layer protocol processing, said hardware processor comprising a protocol processing engine to do transport layer protocol processing;
- or a programmable rule processing engine to analyze network traffic for rule matching or taking actions on matched rules or a combination thereof;
  
  or a security processing engine to do encryption, decryption, authorization or authentication or a combination thereof using standard or proprietary security protocols;
  
  or a packet classification engine to classify the network traffic;
  
  or a packet processing engine to perform packet processing tasks;
  
  or a combination of any of the foregoing, said security system providing multiple protocol layer security in said network.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 17, 19)
- - 3. The security system of claim 1 further comprising:
    - a. at least one central manager for compiling and distributing security rules; and
      
      b. at least one security policy driver to communicate with the central manager and to set up rules in said hardware processor on at least one of said plurality of said one or more networked systems to analyze and enforce security based on said rules.
  - 4. The security system of claim 3 wherein the central manager comprises at least one of:
    - a. A Security Policy Developer Interface for entering security policy;
      
      b. A Security Rules Compiler for compiling security policies into rules;
      
      c. A Rules Distribution Engine to distributed rules to said plurality of said one or more networked systems;
      
      d. A Security Policy Manager Interface to manage said plurality of said one or more networked systems;
      
      e. A Security Monitoring Engine to monitor said network;
      
      f. An event collection/management engine to manage said network and collect events or reports from at least one of said plurality of said one or more networked systems;
      
      or g. a combination of any of the foregoing.
  - 5. The security system of claim 3 wherein at least one of said networked systems provides security based on rules for a. OSI protocol layer two to provide layer two or MAC layer filtering;
    - or b. OSI protocol layer three to provide layer three or network layer filtering;
      
      or c. OSI protocol layer four to provide layer four or transport layer filtering;
      
      or d. OSI protocol layers five through seven to provide upper layer or application layer filtering;
      
      or e. a combination of any of the foregoing.
  - 6. The security system of claim 1 including security protocols comprising at least one of IPSEC, OPSEC, SSL, TLS, AES, DES, 3DES, SHA1, MD4, MD5, RSA, CHAP, Kerberos, a proprietary protocol, or a combination of any of the foregoing.
  - 7. The security system of claim 3 wherein at least one of the at least one policy drivers executes on a processor of said hardware processor or on a host processor of at least one of said networked systems.
  - 8. The security system of claim 1 including multiple protocol layer security that includes security functions performed at one or more protocol layers of the OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, unauthorized access, or a combination of any of the foregoing.
  - 17. The combination of claim 1 wherein said one or more networked systems comprises a blade server, thin server, media server, streaming media server, appliance server, Unix server, Linux server, Windows or Windows derivative server, AIX server, clustered server, database server, grid computing server, VOIP server, wireless gateway server, security server, file server, network attached storage server, game server, router, switch, wireless access point, workstation, desktop computer, notebook computer, laptop computer, utility computing system or gateway device or a combination of any of the foregoing.
  - 19. The security system of claim 1 wherein said packet processing steps include header processing or deep packet processing or a combination thereof.

2. A security system for a storage area network, said storage area network comprising one or more networked systems of one or more types, said security system comprising a set of systems from said one or more networked systems, a plurality of said set of systems comprising a hardware processor providing transport layer protocol processing, said hardware processor comprising a storage protocol processing engine to do protocol processing;
- or a protocol processing engine to do transport layer protocol processing;
  
  or a programmable rule processing engine to analyze storage area network traffic for rule matching or taking actions on matched rules or a combination thereof;
  
  or a security processing engine to do encryption, decryption, authorization or authentication or a combination thereof using standard or proprietary security protocols;
  
  or a packet classification engine to classify the storage area network traffic;
  
  or a packet processing engine to perform packet processing tasks like header processing or deep packet processing or a combination thereof;
  
  or a combination of any or the foregoing, said security system providing multiple protocol layer security in said storage area network.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The security system of claim 2 further comprising:
    - a. at least one central manager for compiling and distributing storage area network security rules; and
      
      b. at least one security policy driver to communicate with the central manager to set up rules in said hardware processor on at least one of said plurality of said one or more networked systems to analyze and enforce storage area network security based on said rules.
  - 21. The security system of claim 20 wherein the central manager comprises at least one of:
    - a. A Security Policy Developer Interface for entering security policy;
      
      b. A Security Rules Compiler for compiling security policies into rules;
      
      c. A Rules Distribution Engine to distribute rules to the said plurality of said one or more networked systems d. A Security Policy Manager Interface to manage said plurality of said one or more networked systems;
      
      e. A Security Monitoring Engine to monitor said network;
      
      f. An event collection/management engine to manage said network and collect events or reports from said plurality of said one or more networked systems;
      
      or g. a combination of any of the foregoing.
  - 22. The security system of claim 20 wherein at least one of said networked systems provides security based on rules for a. OSI protocol layer two to provide layer two or MAC layer filtering;
    - or b. OSI protocol layer three to provide layer three or network layer filtering;
      
      or c. OSI protocol layer four to provide layer four or transport layer filtering;
      
      or d. OSI protocol layers five through seven to provide upper layer or application layer filtering;
      
      or e. Storage protocol layer to provide storage protocol layer filtering;
      
      or f. a combination of any of the foregoing.
  - 23. The security system of claim 2 including security protocols comprising at least one of IPSEC, OPSEC, SSL, TLS, AES, DES, 3DES, SHA1, MD4, MD5, RSA, CHAP, Kerberos, a proprietary protocol or a combination of any of the foregoing.
  - 24. The security system of claim 20 including a policy driver that executes on a processor of said hardware processor or on a host processor of at least one of said networked systems.
  - 25. The security system of claim 2 including multiple protocol layer security that includes security functions performed at one or more protocol layers of the OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, unauthorized access, or a combination of any of the foregoing.

9. A security system comprising a network, said network comprising one or more networked systems of one or more types, a plurality of said one or more networked systems comprising a hardware processor providing remote direct memory access capability, said hardware processor comprising an RDMA mechanism for performing RDMA data transfer or a protocol processing engine to do transport layer protocol processing;
- or a programmable rule processing engine to analyze network traffic for rule matching or taking actions on matched rules or a combination thereof;
  
  or a security processing engine to do encryption, decryption, authorization or authentication or a combination thereof using standard or proprietary security protocols;
  
  or a packet classification engine to classify the network traffic;
  
  or a packet processing engine to perform packet processing tasks like header processing or deep packet processing or a combination thereof;
  
  or a combination of any of the foregoing, said security system providing multiple protocol layer security in said network.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 18)
- - 10. The security system of claim 9 where said hardware processor provides a transport layer remote direct memory access capability.
  - 11. The security system of claim 9 further comprising:
    - a. at least one central manager for compiling and distributing security rules; and
      
      b. at least one security policy driver to communicate with the central manager to set up rules in said hardware processor on at least one of said plurality of said one or more networked systems to analyze and enforce security based on said rules.
  - 12. The security system of claim 11 wherein the central manager comprises at least one of:
    - a. A Security Policy Developer Interface for entering security policy;
      
      b. A Security Rules Compiler for compiling security policies into rules;
      
      c. A Rules Distribution Engine to distribute rules to said plurality of said one or more networked systems d. A Security Policy Manager Interface to manage said plurality of said one or more networked systems;
      
      e. A Security Monitoring Engine to monitor said network;
      
      f. An event collection/management engine to manage said network and collect events or reports from said plurality of said one or more networked systems;
      
      or g. a combination of any of the foregoing.
  - 13. The security system of claim 11 wherein at least one of said networked systems provides security based on rules for a. OSI protocol layer two to provide layer two or MAC layer filtering;
    - or b. OSI protocol layer three to provide layer three or network layer filtering;
      
      or c. OSI protocol layer four to provide layer four or transport layer filtering;
      
      or d. OSI protocol layers five through seven to provide upper layer or application layer filtering;
      
      or e. a combination of any of the foregoing.
  - 14. The security system of claim 9 including security protocols comprising at least one of IPSEC, OPSEC, SSL, TLS, AES, DES, 3DES, SHA1, MD4, MD5, RSA, CHAP, Kerberos, a proprietary protocol or a combination of any of the foregoing.
  - 15. The security system of claim 11 wherein at least one of the at least one policy driver that executes on a processor of said hardware processor or on a host processor of at least one of said networked systems.
  - 16. The security system of claim 9 including multiple protocol layer security that includes security functions performed at one or more protocol layers of the OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, unauthorized access, or a combination of any of the foregoing.
  - 18. The combination of claim 9 wherein said one or more networked systems comprises a blade server, thin server, media server, streaming media server, appliance server, Unix server, Linux server, Windows or Windows derivative server, AIX server, clustered server, database server, grid computing server, VOIP server, wireless gateway server, security server, file server, network attached storage server, game server, router, switch, wireless access point, workstation, desktop computer, notebook computer, laptop computer, utility computing system or gateway device or a combination of any of the foregoing.

26. A security system for a network, said network comprising one or more networked systems of one or more types, said security system comprising a set of systems from said one or more networked systems, a plurality of said set of systems comprising a hardware processor providing transport layer protocol processing, said hardware processor comprising a protocol processing engine to do transport layer protocol processing;
- or a programmable rule processing engine to analyze network traffic for rule matching or taking actions on matched rules or a combination thereof;
  
  or a security processing engine to do encryption, decryption, authorization or authentication or a combination thereof using standard or proprietary security protocols;
  
  or a packet classification engine to classify the network traffic;
  
  or a packet processing engine to perform packet processing tasks like header processing or deep packet processing or a combination thereof;
  
  or a combination of the foregoing, said security system providing multiple protocol layer security in said network.

27. A security system for a network comprising one or more networked systems, at least one of said networked systems having a hardware processor providing a protocol processing stack, said security system providing a secure operating environment for said protocol processing stack for trusted computing needs of one or more of said networked systems by providing a policy driver for setting up the hardware processor for security policy rules to be enforced by said hardware processor, and a central manager for compiling and distributing said rules and monitoring the enforcement of said rules by said hardware processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Memory Access Technologies LLC
Original Assignee
Ashish A. Pandya
Inventors
Pandya, Ashish A.

Granted Patent

US 7,415,723 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0272   Virtual private networks

H04L 67/1097   for distributed storage of ...

H04L 69/12   Protocol engines

Distributed network security system and a hardware processor therefor

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

597 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed network security system and a hardware processor therefor

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

597 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links