Network interface and firewall device

US 20070022479A1
Filed: 07/21/2005
Published: 01/25/2007
Est. Priority Date: 07/21/2005
Status: Abandoned Application

First Claim

Patent Images

1. A network processing device, comprising:

a processor associating packets with different levels of trusted communication and managing the packets that are part of a Denial of Service (DoS) attack according to the associated levels of trusted communication.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network processing device provides a novel architecture for conducting firewall and other network interface management operations. In another aspect of the invention, a Unified Policy Management (UPM) architecture uses a same memory and processing structure to integrate firewall policy management with routing and switching decisions. In another embodiment, a Reconfigurable Semantic Processor (RSP) uses a parser to identify different syntactic elements that are then used by one or more Semantic Processing Units (SPUs) to carry out different firewall, network interface, routing, switching, and other packet processing operations.

234 Citations

44 Claims

1. A network processing device, comprising:
- a processor associating packets with different levels of trusted communication and managing the packets that are part of a Denial of Service (DoS) attack according to the associated levels of trusted communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13)
- - 2. The network processing device according to claim 1 wherein the different levels of trusted communication are assigned according to different public and private interfaces receiving the packets.
  - 3. The network processing device according to claim 1 wherein the processor determines when packets are part of a DoS attack according to a packet threshold rate corresponding to the associated level of trusted communication.
  - 4. The network processing device according to claim 1 including a Content Addressable Memory (CAM) that contains DoS entries for packets associated with possible DoS attacks (DoS candidate packets).
  - 5. The network processing device according to claim 4 wherein the DoS entries in the CAM are indexed according to a destination address.
  - 6. The network processing device according to claim 5 including a DoS status memory that is indexed by the CAM and that contains different fields maintaining DoS status information for the different DoS entries.
  - 7. The network processing device according to claim 6 wherein the DoS status memory includes DoS attack flags that identify DoS entries in the CAM that have been identified as part of a DoS attack.
  - 8. The network processing device according to claim 6 wherein the DoS status memory includes a time stamp that tracks a number of associated DoS candidate packets received within a predetermined time period.
  - 9. The network processing device according to claim 6 wherein the DoS status memory includes generations that associate the DoS entries with different logical sections of the CAM.
  - 10. The network processing device according to claim 9 wherein the processor assigns DoS entries for incoming DoS candidate packets to a current generation in the CAM and may remove other DoS entries in an oldest generation for every new DoS entry assigned to the current generation, the processor upon receiving a packet associated with an existing DoS entry changing the previous generation for the existing DoS entry to the current generation.
  - 12. The network processing device according to claim 9 wherein the processor circulates through the generations in the CAM at predetermined time intervals so that all generations are circulated through the CAM in less than an amount of time required for a time stamp associated with the DoS entries to wraparound to zero.
  - 13. The network processing device according to claim 6 wherein the DoS status memory is a Static Random Access Memory (SRAM) that contains offset values that address counters in a Dynamic Random Access Memory (DRAM) that track a number of packets received during a predetermined time period for the different DoS entries.

11. A method for tracking rate limits for packets, comprising:
- receiving packets having different associated packet addresses;
  
  using different counters to track a number of packets received for the different associated packet addresses;
  
  assigning timestamps for the different packet addresses; and
  
  resetting the different counters only upon receiving a packet corresponding with a packet address that has an expired timestamp value.

14. A method for monitoring and filtering Denial of Service (DoS) attacks, comprising:
- identifying a packet associated with a possible DoS attack;
  
  tracking the status of the packet as a DoS entry in a memory;
  
  allowing a new packet to pass when there is no previous DoS entry in the memory; and
  
  adding a new DoS entry into the memory for the new packet after the new packet has already been allowed to pass.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method according to claim 14 including:
    - receiving a packet that already has a DoS entry in the memory;
      
      dropping the packet when a DoS attack flag in the corresponding DoS entry is set;
      
      updating a time stamp, counter, and the DoS attack flag for the corresponding DoS entry when the time stamp is older than a predetermined time period.
  - 16. The method according to claim 14 including:
    - receiving a packet that already has a DoS entry in the memory;
      
      allowing the packet to pass when a DoS attack flag in the corresponding DoS entry is not set;
      
      incrementing a counter for the corresponding DoS entry after the packet has been allowed to pass;
      
      setting a DoS attack flag when the counter is above a DoS attack threshold and a time stamp for the corresponding DoS entry is within a predetermined time period.
  - 17. The method according to claim 14 removing a DoS entry assigned to a next generation in the memory for every new DoS entry assigned to a current generation in the memory.
  - 18. The method according to claim 17 including receiving a packet associated with an existing DoS entry in the memory and changing the previous generation for the existing DoS entry to a current generation.
  - 19. The method according to claim 18 including circulating through each generation in the memory at predetermined time intervals where the combined time to circulate through all of the generations in the memory is less than the amount of time required for a time stamp associated with the DoS entry to wraparound to zero.

20. A firewall, comprising:
- a processor identifying Denial of Service (DoS) candidate packets that are associated with a possible Denial of Service (DoS) attack;
  
  a Content Addressable Memory (CAM) containing DoS entries that index the DoS candidate packets according to an associated destination address; and
  
  a status memory indexed by the CAM and containing DoS status for the different DOS entries.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The firewall according to claim 20 wherein the DoS entries are also indexed according to interface zones associated with different levels of trusted communication for received packets.
  - 22. The firewall according to claim 20 wherein the CAM is partitioned into logical generation regions that the processor cycles through at periodic time periods or when the generation regions are filled with DoS entries, the processor assigning new DoS entries to a current generation region and removing DoS entries from a next generation region.
  - 23. The firewall according to claim 22 including generation tables that the processor accesses to identify which locations in the CAM do not contain DoS entries and to identify where the DoS entries are located for each generation region.
  - 24. The firewall according to claim 20 wherein the processor includes:
    - a direct execution parser that parses incoming packets to identify the DoS candidate packets; and
      
      one or more Semantic Processing Units (SPUs) that identify the DoS candidate packets that are part of a DOS attack allowing the DoS candidate packets that are not part of the DOS attack to pass through the firewall while dropping the DoS candidate packets that are identified as a part of the DOS attack.

25. A network processing device, comprising:
- a processor configured to use a same memory subsystem as a Forwarding Information Base (FIB) and for firewall policy management.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 26. The network processing device according to claim 25 wherein the processor compares a destination address and firewall policy metrics contained in the packets with a same set of Access Control List (ACL) entries in the memory subsystem for making both routing or switching decisions and for performing firewall operations.
  - 27. The network processing device according to claim 25 wherein the ACL entries include predicates corresponding with the destination address and firewall policy metrics in the packets and actions that indicate what firewall or forwarding operations to perform on the packets.
  - 28. The network processing device according to claim 25 wherein the processor includes:
    - a data parser configured to identify an address and firewall metrics in packets; and
      
      one or more Semantic Processing Units (SPUs) that perform both firewall operations and packet forwarding operations on the packets according to the identified address and firewall metrics.
  - 29. The network processing device according to claim 28 including a Content Addressable Memory (CAM) that contains an Access Control List (ACL) table, the SPUs combining the identified address and firewall metrics identified by the data parser into predicate sets that are then applied to the CAM to identify associated firewall and forwarding actions.
  - 30. The network processing device according to claim 29 wherein the CAM includes a conversion table that is used by the SPUs to convert addresses in the packets between a public IP address and a private address.
  - 31. The network processing device according to claim 29 including a conversion table that is used in combination with the CAM to convert the packets between different IP version formats.
  - 32. The network processing device according to claim 31 wherein the same CAM contains conversion tables for both converting the addresses in the packets between a public IP address and a private address and converting the packets between different IP version formats.
  - 33. The network processing device according to claim 29 including ACL entries in the CAM that identify encrypted packets that are part of a Virtual Private Network (VPN) tunnel and direct the SPUs to decrypt the identified encrypted packets.
  - 34. The network processing according to claim 28 wherein the ACL table includes ACL entries that identify packets directed to sub-networks having virus detection licenses and cause the SPUs to conduct virus detection on the identified packets.

35. A semantic processor, comprising:
- a parser that parses packets to identify syntactic elements associated with network interface operations, the parser then launching microinstructions according to the identified syntactic elements; and
  
  one or more Semantic Processing Units (SPUs) that conduct the network interface operations by executing the microinstructions launched by the direct execution parser.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44)
- - 37. The semantic processor according to claim 35 wherein the parser identifies Denial of Service (DOS) packets that are possibly part of a DOS attack, the parser causing the SPUs to monitor a rate that the DoS candidate packets are received and either drop or pass the DoS candidate packets according to the monitored rate.
  - 38. The semantic processor according to claim 35 including an Access Control List (ACL) that includes entries having predicates corresponding with packet semantic elements identified by the parser and actions that are used by the one or more SPUs to determine what firewall operations to perform on the packets.
  - 39. The semantic processor according to claim 38 including a Forwarding Information Base (FIB) including destination addresses and corresponding output ports, the one or more SPUs using a combination of the predicates from the ACL and the destination addresses from the FIB to determine how to forward and process the packets.
  - 40. The semantic processor according to claim 39 wherein the ACL includes different Uniform Resource Locator (URL) predicates associated with different output ports for the same destination address predicate, the parser identifying a destination address and URL value contained in the packets and the SPUs forwarding the packets to the output port identified in the ACL having a matching destination address predicate and URL predicate.
  - 41. The semantic processor according to claim 35 including a Network Address Translation and/or Port Address Translation (NAT/PAT) lookup table that maps public addresses with private addresses, the parser identifying the public or private addresses in the packets and directing the one or more SPUs to replace the private or public address with the corresponding public or private address from the lookup table.
  - 42. The semantic processor according to claim 35 including an Internet Protocol (IP) version translation table that maps addresses for a first IP version format with corresponding addresses for a second IP version format, the parser identifying the IP version format used in the packets and directing the SPUs to replace the addresses in the packets with a different address for the other IP version format.
  - 43. The semantic processor according to claim 35 including a Virtual Private Network (VPN) table that associates a decryption key, decryption algorithm identifier, and/or authentication algorithm identifier with associated Security Parameter Indices (SPIs), the parser identifying the SPIs in packets and directing the SPUs to apply the identified SPIs to the VPN table and then decrypt the packets according to the decryption key, decryption algorithm identifier, and/or authentication algorithm identifier received back from the VPN table.
  - 44. The semantic processor according to claim 35 including an anti-virus table that associates different sub-networks with anti-virus licenses, the parser identifying destination addresses in packets and directing the SPUs to apply the destination addresses to the anti-virus table and conduct anti-virus operations on the packets identified as being directed to sub-networks with anti-virus licenses.

36. The semantic processor according 35 including:
- an input port configured to receive data symbols;
  
  a direct execution parser stack storing stack symbols, the parser processing stack symbols in response to the received data symbols;
  
  a parser table populated with production rule codes indexable by the combination of at least one received data symbol and a symbol supplied by the parser;
  
  a production rule table populated with production rules indexable by production rule codes; and
  
  a semantic code table accessible by the SPUs and populated with machine instructions indexed by the production rule codes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GigaFin Networks, Inc. (Infinity Security Solutions, Inc.)
Original Assignee
GigaFin Networks, Inc. (Infinity Security Solutions, Inc.)
Inventors
Sikdar, Somsubhra, Jalali, Caveh, Ellis, Steven, Rowett, Kevin

Application Number

US11/187,049
Publication Number

US 20070022479A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/0218 Distributed architectures, ...

H04L 63/1458 Denial of Service

Network interface and firewall device

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

234 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Network interface and firewall device

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

234 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links