INTERNET SECURITY SYSTEM

US 20060209836A1
Filed: 06/06/2006
Published: 09/21/2006
Est. Priority Date: 03/30/2001
Status: Active Grant

First Claim

Patent Images

1-27. -27. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet in a packet forwarding device. A data packet is received. A virtual local area network destination is determined for the received data packet, and a set of rules associated with the virtual local area network destination is identified. The rules are applied to the data packet. If a virtual local area network destination has been determined for the received data packet, the data packet is output to the destination, using the result from the application of the rules. If no destination has been determined, the data packet is dropped. A security system for partitioning security system resources into a plurality of separate security domains that are configurable to enforce one or more policies and to allocate security system resources to the one or more security domains, is also described.

Citations

65 Claims

1-27. -27. (canceled)

28. A data processing system for processing data packets transferred over a network, the data processing system comprising:
- a firewall engine, the firewall engine being operable to;
  
  receive a set of firewall policies; and
  
  apply the firewall policies to a data packet;
  
  an authentication engine, the authentication engine being operable to;
  
  receive a set of authentication policies; and
  
  authenticate a data packet in accordance with the authentication policies;
  
  one or more virtual private networks, each virtual private network having an associated destination address and policies; and
  
  a controller being operable to;
  
  detect an incoming data packet;
  
  examine the incoming data packet for a virtual private network destination address;
  
  identify the policies associated with the virtual private network destination;
  
  if the policies include firewall policies, then call the firewall engine and apply the set of firewall policies corresponding to the virtual private network destination to the data packet;
  
  if the policies include authentication policies, then call the authentication engine and apply the set of authentication policies corresponding to the virtual private network destination to the data packet; and
  
  route the data packet to the virtual private network containing the data packet'"'"'s destination address.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The data processing system of claim 28, wherein the controller is operable to examine the incoming data packet by:
    - extracting layer information from the data packet, the layer information being selected from the group consisting of layer 2 information, layer 3 information, layer 4 information and layer 7 information; and
      
      using the extracted layer information to determine a virtual private network destination address.
  - 30. The data processing system of claim 28, wherein the authentication policies include one or more of:
    - network address translation, mobile internet protocol, virtual internet protocol, user authentication and URL blocking.
  - 31. The data processing system of claim 28, wherein the firewall policies include one or more of:
    - incoming policies and outgoing policies for a virtual local area network destination.
  - 32. The data processing system of claim 28, wherein the controller is operable to route the data packet by:
    - reading a set of entries in a private routing table; and
      
      outputting the data packet to its virtual private network destination address using a routing protocol associated with the packet'"'"'s virtual private network destination address.

33. A method for screening data packets transferred over a network, the method comprising:
- connecting to one or more virtual local area networks;
  
  associating a set of firewall configuration settings with each of the one or more virtual local area networks;
  
  receiving an incoming data packet;
  
  screening the incoming data packet in accordance with a set of firewall configuration settings; and
  
  outputting the screened data packet to a particular virtual local area network among the one or more virtual local area networks, based on the result of the screening.
- View Dependent Claims (34, 35, 36, 37, 38)
- - 34. The method of claim 33, further comprising applying a traffic policy to the received data packet, the traffic policy being applied to all incoming data packets independent of the packets'"'"' local area network destination.
  - 35. The method of claim 33, wherein screening the data packet comprises applying a set of rules selected from the group consisting of network address translation, mobile internet protocol, virtual internet protocol, user authentication and URL blocking.
  - 36. The method of claim 33, wherein screening the data packet comprises applying a set of policies selected from the group consisting of incoming policies and outgoing policies for a virtual local area network destination.
  - 37. The method of claim 33, further comprising:
    - determining available resources for outputting the data packet to the virtual local area network destination, the resources being definable by a user; and
      
      wherein outputting the data packet comprises;
      
      outputting the data packet to a determined virtual local area network destination in accordance with the determined available resources.
  - 38. The method of claim 33, wherein outputting the data packet comprises:
    - if a virtual local area network destination has been determined for the received data packet, reading a set of entries in a private routing table; and
      
      outputting the data packet to its virtual local area network destination using a routing protocol for the packet virtual local area network destination.

39-49. -49. (canceled)

50. A security system, comprising:
- security system resources including firewall services; and
  
  a controller operable to partition the security system resources into a plurality of separate security domains, each security domain being configurable to enforce one or more policies relating to a specific subsystem, and to allocate security system resources to the one or more security domains.
- View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 51. The security system of claim 50, wherein the security system further is operable to allocate security system resources to a specific subsystem.
  - 52. The security system of claim 50, wherein the specific subsystem is a computer network.
  - 53. The security system of claim 50, wherein the specific subsystem is a device connected to a computer network.
  - 54. The security system of claim 50, wherein each security domain includes a user interface for viewing and modifying a set of policies relating to a specific subsystem.
  - 55. The security system of claim 54, wherein the security system resources further include authentication services.
  - 56. The security system of claim 54, wherein the security system resources further include virtual private network (VPN) services.
  - 57. The security system of claim 54, wherein the security system resources further include traffic management services.
  - 58. The security system of claim 51, wherein the security system resources further include encryption services.
  - 59. The security system of claim 54, wherein the security system resources further include one or more of:
    - administrative tools, logging, counting, alarming and notification facilities, and resources for setting up additional subsystems.
  - 60. The security system of claim 50, further comprising a management device operable to provide a service domain, the service domain being configurable to enforce one or more policies for all security domains.
  - 61. The security system of claim 60, wherein the management device includes a user interface for viewing, adding and modifying any set of policies associated with any specific subsystem and the set of policies associated with the service domain.
  - 62. The security system of claim 60, wherein the service domain includes a global address book.
  - 63. The security system of claim 50, wherein each set of security domain policies includes one or more policies for incoming data packets, policies for outgoing packets, policies for virtual tunneling, authentication policies, traffic regulating policies and firewall policies.
  - 64. The security system of claim 63, wherein the policies for virtual tunneling are selected from the group consisting of PPTP, L2TP and IPSec tunneling protocols.
  - 65. The security system of claim 50, wherein one or more of the plurality of security domains include a unique address book.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Mao, Yuming, Ke, Yan, Leu, Brian Yean-Shiang, Xu, Wilson

Granted Patent

US 9,185,075 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4645   Details on frame tagging ro...

H04L 12/467   Arrangements for supporting...

H04L 49/25   Routing or path finding in ...

H04L 49/351   for local area network [LAN...

H04L 49/354   for supporting virtual loca...

H04L 63/02   for separating internal fro...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

INTERNET SECURITY SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

65 Claims

Specification

Solutions

Use Cases

Quick Links

INTERNET SECURITY SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

65 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links