Runtime adaptable security processor

US 20050108518A1
Filed: 12/02/2004
Published: 05/19/2005
Est. Priority Date: 06/10/2003
Status: Abandoned Application

First Claim

Patent Images

1. A security solution comprising a network, said network comprising one or more networked systems of one or more types, at least one of said one or more networked systems comprising a security processor providing application layer or network layer or storage area network or application specific security or a combination thereof, said security processor comprising a programmable content search and rule processing engine to analyze network traffic to perform content search or take actions on matched rules or a combination thereof;

or a runtime adaptable processor to provide adaptable hardware acceleration on network traffic presented to the said security processor;

or a programmable classification and rules processing engine based on CAM architecture to provide high speed rule searching and security processing to network traffic presented to the said security processor;

or a hardware processor providing transport layer protocol processing;

or a combination of two or more of the foregoing, said security solution providing multiple protocol layer security in the said network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A runtime adaptable security processor is disclosed. The processor architecture provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol layer and may also provide packet inspection through Layer 7. Further, a runtime adaptable processor is coupled to the protocol processing hardware and may be dynamically adapted to perform hardware tasks as per the needs of the network traffic being sent or received and/or the policies programmed or services or applications being supported. A set of engines may perform pass-through packet classification, policy processing and/or security processing enabling packet streaming through the architecture at nearly the full line rate. A high performance content search and rules processing security processor is disclosed which may be used for application layer and network layer security. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database for a certain number of active sessions. The session information that is not in the internal memory is stored and retrieved to/from an additional memory. An application running on an initiator or target can in certain instantiations register a region of memory, which is made available to its peer(s) for access directly without substantial host intervention through RDMA data transfer. A security system is also disclosed that enables a new way of implementing security capabilities inside enterprise networks in a distributed manner using a protocol processing hardware with appropriate security features.

470 Citations

19 Claims

1. A security solution comprising a network, said network comprising one or more networked systems of one or more types, at least one of said one or more networked systems comprising a security processor providing application layer or network layer or storage area network or application specific security or a combination thereof, said security processor comprising a programmable content search and rule processing engine to analyze network traffic to perform content search or take actions on matched rules or a combination thereof;
- or a runtime adaptable processor to provide adaptable hardware acceleration on network traffic presented to the said security processor;
  
  or a programmable classification and rules processing engine based on CAM architecture to provide high speed rule searching and security processing to network traffic presented to the said security processor;
  
  or a hardware processor providing transport layer protocol processing;
  
  or a combination of two or more of the foregoing, said security solution providing multiple protocol layer security in the said network.
- View Dependent Claims (3, 4, 5, 6, 13, 19)
- - 3. The security solution of claim 1 further comprising:
    - a. at least one central manager for compiling and distributing security rules; and
      
      b. at least one security policy driver to communicate with the central manager and set up rules in the said security processor on at least one of said one or more networked systems to analyze and enforce security based on the said rules.
  - 4. The security solution of claim 3 wherein the central manager comprises at least one of:
    - a. An Application Programming Interface for entering security rules;
      
      b. A Rules Compiler for compiling security rules;
      
      c. A Rules Distribution Engine to distribute rules to the said at least one of said one or more networked systems;
      
      d. A Monitoring interface to monitor the said network;
      
      e. An event recording engine and database to manage the said network and collect events or reports from the said plurality of said one or more networked systems;
      
      or f. a combination of two or more of the foregoing.
  - 5. The security solution of claim 3 wherein at least one of said one or more networked systems provides security based on rules for a. OSI protocol layer two to provide layer two or MAC layer security;
    - or b. OSI protocol layer three to provide layer three or network layer security;
      
      or c. OSI protocol layer four to provide layer four or transport layer security;
      
      or d. OSI protocol layers five through seven to provide upper layer or application layer security;
      
      or e. a combination of any two or more of the foregoing.
  - 6. The security solution of claim 1 including multiple protocol layer security that includes security functions performed at one or more protocol layers of the OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, digital rights management, instant message inspection, URL matching, application detection, malicious content identification, extrusion detection, unauthorized access detection, or detecting other security attacks, or a combination of any two or more of the foregoing.
  - 13. The combination of claim 1 wherein one of said one or more networked systems is a blade server, thin server, media server, streaming media server, appliance server, Unix server, Linux server, Windows or Windows derivative server, AIX server, clustered server, database server, grid computing server, VoIP server, wireless gateway server, security server, file server, network attached storage server, game server, router, switch, wireless access point, workstation, desktop computer, notebook computer, laptop computer, utility computing system or gateway device or a combination of two or more of the foregoing.
  - 19. The security solution of claim 1 providing a secure operating environment for a network protocol processing stack on one or more of the said networked systems for trusted computing environment needs of the networked systems.

2. A security solution for a storage area network, said storage area network comprising one or more networked systems of one or more types, said security solution comprising a set of systems from said one or more networked systems, a plurality of said set of systems comprising a security processor providing application layer or network layer or storage area network or application specific security or a combination thereof, said security processor comprising a storage protocol processing engine to do storage protocol processing;
- or a programmable content search and rule processing engine to analyze storage area network traffic to perform content search or take actions on matched rules or a combination thereof;
  
  or a runtime adaptable processor to provide adaptable hardware acceleration on storage area network traffic presented to the said security processor;
  
  or a programmable classification and rules processing engine based on CAM architecture to provide high speed rule searching and security processing to storage area network traffic presented to the said security processor;
  
  or a hardware processor providing transport layer protocol processing;
  
  or a combination of two or more of the foregoing, said security solution providing multiple protocol layer security in the said storage area network.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The security solution of claim 2 further comprising:
    - a. at least one central manager for compiling and distributing storage area network security rules; and
      
      b. at least one security policy driver to communicate with the central manager and set up rules in the said security processor on at least one of said one or more networked systems to analyze and enforce storage area network security based on the said rules.
  - 16. The security solution of claim 15 wherein the central manager comprises at least one of:
    - a. An Application Programming Interface for entering security rules;
      
      b. A Rules Compiler for compiling security rules;
      
      c. A Rules Distribution Engine to distributed rules to the said plurality of said one or more networked systems;
      
      d. A Monitoring interface to monitor the said storage area network;
      
      e. An event recording engine and database to manage the said network and collect events or reports from the said plurality of said networked systems;
      
      or f. a combination of two or more of the foregoing.
  - 17. The security solution of claim 15 wherein at least one of said one or more networked systems provides security based on rules for a. OSI protocol layer two to provide layer two or MAC layer security;
    - or b. OSI protocol layer three to provide layer three or network layer security;
      
      or c. OSI protocol layer four to provide layer four or transport layer security;
      
      or d. OSI protocol layers five through seven to provide upper layer or application layer security;
      
      or e. a combination of two or more of the foregoing.
  - 18. The security solution of claim 2 including multiple protocol layer security that includes security functions performed at one or more protocol layers of the OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, digital rights management, instant message inspection, URL matching, application detection, malicious content identification, extrusion detection, unauthorized access detection, or detecting other security attacks, or a combination of two or more of the foregoing.

7. A security solution comprising a network, said network comprising one or more networked systems of one or more types, at least one of said one or more networked systems comprising a security processor providing remote direct memory access capability, said security processor comprising an RDMA mechanism for performing RDMA data transfer;
- or a programmable content search and rule processing engine to analyze network traffic to perform content search or take actions on matched rules or a combination thereof;
  
  or a runtime adaptable processor to provide adaptable hardware acceleration on network traffic presented to the said security processor;
  
  or a programmable classification and rules processing engine based on CAM architecture to provide high speed rule searching and security processing to network traffic presented to the said security processor;
  
  or a hardware processor providing transport layer protocol processing;
  
  or a combination of two or more of the foregoing, said security solution providing multiple protocol layer security in the said network.
- View Dependent Claims (8, 9, 10, 11, 12, 14)
- - 8. The security solution of claim 7 wherein said security processor provides a transport layer remote direct memory access capability.
  - 9. The security solution of claim 7 further comprising:
    - a. at least one central manager for compiling and distributing security rules; and
      
      b. at least one security policy driver to communicate with the central manager and setup rules in the said security processor on at least one of said one or more networked systems to analyze and enforce security based on the said rules.
  - 10. The security solution of claim 9 wherein the central manager comprises at least one of:
    - a. An Application Programming Interface for entering security rules;
      
      b. A Rules Compiler for compiling security rules;
      
      c. A Rules Distribution Engine to distribute rules to the said at least one of said one or more networked systems;
      
      d. A Monitoring interface to monitor the said network;
      
      e. An event recording engine and database to manage the said network and collect events or reports from the said one or more networked systems;
      
      or f. a combination of any of the foregoing.
  - 11. The security solution of claim 9 wherein at least one of said one or more networked systems provides security based on rules for a. OSI protocol layer two to provide layer two or MAC layer security;
    - or b. OSI protocol layer three to provide layer three or network layer security;
      
      or c. OSI protocol layer four to provide layer four or transport layer security;
      
      or d. OSI protocol layers five through seven to provide upper layer or application layer security;
      
      or e. a combination of any two or more of the foregoing.
  - 12. The security solution of claim 7 including multiple protocol layer security that includes security functions performed at one or more protocol layers of the OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, digital rights management, instant message inspection, URL matching, application detection, malicious content identification, extrusion detection, unauthorized access detection, or detecting other security attacks, or a combination of two or more of the foregoing.
  - 14. The combination of claim 7 wherein one of said one or more networked systems is a blade server, thin server, media server, streaming media server, appliance server, Unix server, Linux server, Windows or Windows derivative server, AIX server, clustered server, database server, grid computing server, VoIP server, wireless gateway server, security server, file server, network attached storage server, game server, router, switch, wireless access point, workstation, desktop computer, notebook computer, laptop computer, utility computing system or gateway device or a combination of two or more of the foregoing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Memory Access Technologies LLC
Original Assignee
Memory Access Technologies LLC
Inventors
Pandya, Ashish A.

Application Number

US11/004,742
Publication Number

US 20050108518A1
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 63/0485   Networking architectures fo...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

H04L 69/12   Protocol engines

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/32   Architecture of open system...

H04L 69/323   in the physical layer [OSI ...

H04L 69/326   in the transport layer [OSI...

H04L 69/329   in the application layer [O...

Runtime adaptable security processor

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

470 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Runtime adaptable security processor

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

470 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links