Method, systems, and computer program products for implementing function-parallel network firewall
First Claim
1. A function-parallel firewall comprising:
- (a) a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules, the first portion including less than all of the rules in the rule set; and
(b) at least one second firewall node for filtering packets using a second portion of the rule set, the second portion including at least one rule in the rule set that is not present in the first portion, wherein the first and second portions together include all of the rules in the rule set.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and computer program products for providing function-parallel firewalls are disclosed. According to one aspect, a function-parallel firewall includes a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules. The first portion includes less than all of the rules in the rule set. At least one second firewall node filters packets using a second portion of the rule set. The second portion includes at least one rule in the rule set that is not present in the first portion. The first and second portions together include all of the rules in the rule set.
323 Citations
52 Claims
-
1. A function-parallel firewall comprising:
-
(a) a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules, the first portion including less than all of the rules in the rule set; and
(b) at least one second firewall node for filtering packets using a second portion of the rule set, the second portion including at least one rule in the rule set that is not present in the first portion, wherein the first and second portions together include all of the rules in the rule set. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A stateful function-parallel firewall system comprising:
-
(a) a first function-parallel firewall subsystem including a plurality of firewall nodes implementing a first rule set for filtering packets arriving in a network, wherein the first function-parallel firewall subsystem includes at least first and second firewall nodes respectively implementing first and second portions of the first rule set, the first portion including at least one rule that is not present in the second portion; and
(b) a second function-parallel firewall sub-system including a second set of firewall nodes implementing a second rule set for filtering packets departing from the network, wherein the second function-parallel firewall subsystem includes at least third and fourth firewall nodes, the third and fourth firewall nodes implementing first and second portions of the second rule set, the first portion of the second rule set including at least one rule that is not present in the second portion of the second rule set, wherein the first and second function-parallel firewall subsystems share state information regarding connections established through the first and second sets of firewall nodes. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
-
27. A firewall grid comprising:
-
(a) a plurality of firewall nodes being physically connected to each other via a network for filtering packets; and
(b) a controller for controlling logical connections between the firewall nodes, wherein the controller is adapted to configure the firewall nodes in a logical firewall hierarchy without changing physical connections between the firewall nodes. - View Dependent Claims (28, 29, 30)
-
-
31. A system for providing network access control based on a function-parallel policy, the system comprising:
-
(a) a first node for filtering received packets using a first portion of a rule set including a plurality of rules, the first portion including less than all of the rules in the rule set; and
(b) at least one second node for filtering packets using a second portion of the rule, the second portion including at least one rule in the rule set that is not present in the first portion, wherein the first and second portions together include all of the rules in the rule set. - View Dependent Claims (32, 33, 34)
-
-
35. A method for controlling access to a network based on a set of packet filtering rules distributed in a function-parallel manner, the method comprising:
-
(a) distributing packet filtering rules of a rule set among a plurality of different nodes in a function-parallel manner so that at least some of the different nodes implement different portions of the rule set;
(b) replicating packets to each of the nodes; and
(c) applying the rules to filter the packets. - View Dependent Claims (36, 37, 38, 39, 40)
-
-
41. A method for distributing rules in a function-parallel firewall, the method comprising:
-
(a) defining a rule set for a function-parallel firewall;
(b) assigning rules in the rule set to nodes and branches in a trie data structure, wherein each node in the trie data structure corresponds to a data field and each branch represents a value for each data field to be compared to values in corresponding fields in received packets; and
(c) pruning the trie data structure in a manner that preserves ordering of the rules in the rule set. - View Dependent Claims (42, 43, 44)
-
-
45. A method for assigning rules to a plurality of firewall nodes, the method comprising:
-
(a) assigning packet filtering rules to nodes in a directed acyclical graph (DAG);
(b) representing relationships between rules by edges in the DAG; and
(c) distributing the rules among a plurality of firewall nodes using the DAG such that different firewall nodes implement different rules and such that relationships between the rules specified in the DAG are preserved. - View Dependent Claims (46, 47, 48, 49)
-
-
50. A computer program product comprising computer executable instructions embodied in a computer readable medium for performing steps comprising:
-
(a) distributing packet filtering rules of a rule set among a plurality of different nodes in a function-parallel manner so that at least some of the different nodes implement different portions of the rule set;
(b) replicating packets to each of the nodes; and
(c) applying the rules to filter the packets.
-
-
51. A computer program product comprising computer executable instructions embodied in a computer readable medium for performing steps comprising:
-
(a) defining a rule set for a function-parallel firewall;
(b) assigning rules in the rule set to nodes and branches in a trie data structure, wherein each node in the trie data structure corresponds to a data field and each branch represents a value for each data field to be compared to values in corresponding fields in received packets; and
(c) pruning the trie data structure in a manner that preserves ordering of the rules in the rule set.
-
-
52. A computer program product comprising computer executable instructions embodied in a computer readable medium for performing steps comprising:
-
(a) assigning rules to nodes in a directed acyclical graph (DAG);
(b) representing relationships between rules by edges in the DAG; and
(c) distributing the rules among a plurality of firewall nodes using the DAG such that the relationships between the rules specified in the DAG are preserved.
-
Specification