Apparatus and method for facilitating network security

US 20070058540A1
Filed: 08/19/2005
Published: 03/15/2007
Est. Priority Date: 08/19/2005
Status: Active Grant

First Claim

Patent Images

1. An apparatus to facilitate network security and traffic monitoring for input network traffic, comprising:

a plurality of microcode controlled state machines, each of said plurality of microcode controlled state machines including a computation kernel operating in accordance with microcode stored in an associated control store;

a distribution circuit to route individual network traffic segments to said plurality of microcode controlled state machines, such that each individual microcode controlled state machine processes a network traffic segment in accordance with microcode stored in an associated control store to produce a processed individual network traffic segment;

an aggregation circuit to route processed individual network traffic segments from said plurality of microcode controlled state machines in accordance with an output routing strategy and thereby produce output network traffic corresponding to said input network traffic.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus is described that facilitates network security and network traffic monitoring through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a set of microcode controlled state machines, each of which applies one or more rules to input network traffic. A distribution circuit routes individual network traffic segments derived from input network traffic to the set of microcode controlled state machines, so that each individual segment is processed in accordance with microcode stored in an associated control store. Each microcode controlled state machine includes a computation kernel operating in accordance with the microcode. An aggregation circuit routes the resulting processed individual network traffic segments in accordance with an output routing policy to produce output network traffic corresponding to the original input network traffic. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security features and network traffic analysis.

Citations

39 Claims

1. An apparatus to facilitate network security and traffic monitoring for input network traffic, comprising:
- a plurality of microcode controlled state machines, each of said plurality of microcode controlled state machines including a computation kernel operating in accordance with microcode stored in an associated control store;
  
  a distribution circuit to route individual network traffic segments to said plurality of microcode controlled state machines, such that each individual microcode controlled state machine processes a network traffic segment in accordance with microcode stored in an associated control store to produce a processed individual network traffic segment;
  
  an aggregation circuit to route processed individual network traffic segments from said plurality of microcode controlled state machines in accordance with an output routing strategy and thereby produce output network traffic corresponding to said input network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 2. The apparatus of claim 1 wherein each of said plurality of microcode controlled state machines has a local buffer to selectively buffer said individual network traffic segments prior to processing by said computational kernel.
  - 3. The apparatus of claim 2 wherein said local buffers of said plurality of microcode controlled state machines operate synchronously to define a processing window for said individual network traffic segments.
  - 4. The apparatus of claim 1 wherein each of said plurality of microcode controlled state machines has a computation kernel including a condition analysis circuit to process an internal state value and microcode from said associated control store.
  - 5. The apparatus of claim 4 wherein said condition analysis circuit generates an output specifying whether conditions defined by said microcode are satisfied.
  - 6. The apparatus of claim 5 wherein said condition analysis circuit generates an output specifying whether a comparison between a microcode stored internal state variable and said internal state value is satisfied.
  - 7. The apparatus of claim 1 wherein each of said plurality of microcode controlled state machines has a computation kernel including a condition check circuit to process a network traffic segment and microcode from said associated control store.
  - 8. The apparatus of claim 7 wherein said condition check circuit generates an output specifying whether conditions defined by said microcode are satisfied.
  - 9. The apparatus of claim 8 wherein said condition check circuit generates an output specifying whether a comparison between a microcode stored operand and data from said traffic segment is satisfied.
  - 10. The apparatus of claim 1 wherein each of said plurality of microcode controlled state machines has an output circuit to process a portion of said network traffic segment, output from a condition analysis circuit and output from a condition check circuit.
  - 11. The apparatus of claim 10 wherein each of said plurality of microcode controlled state machines has an output circuit to implement a microcode specified Boolean logic operation.
  - 12. The apparatus of claim 10 wherein said output circuit generates a next address value.
  - 13. The apparatus of claim 1 wherein said plurality of microcode controlled state machines apply behavioral rules specified by said microcode.
  - 14. The apparatus of claim 13 wherein said plurality of microcode controlled state machines apply network-based behavioral rules specified by said microcode.
  - 15. The apparatus of claim 13 wherein said plurality of microcode controlled state machines apply behavioral rules based upon conditions associated with said input network traffic and said output network traffic.
  - 16. The apparatus of claim 1 wherein said plurality of microcode controlled state machines apply signature-based rules specified by said microcode.
  - 17. The apparatus of claim 1 wherein said plurality of microcode controlled state machines operate collaboratively.
  - 18. The apparatus of claim 17 wherein said plurality of microcode controlled state machines operate to activate and deactivate selected ones of said plurality of microcode controlled state machines.
  - 19. The apparatus of claim 1 wherein said distribution circuit divides said input network traffic into said individual network traffic segments.
  - 20. The apparatus of claim 1 further comprising a pre-processor circuit to divide said input network traffic into said individual network traffic segments.
  - 21. The apparatus of claim 1 wherein said distribution circuit includes at least one frame buffer.
  - 22. The apparatus of claim 1 wherein said at least one frame buffer is configured to support cut-through network traffic processing.
  - 23. The apparatus of claim 1 wherein said at least one frame buffer is configured to support store and forward network traffic processing.
  - 24. The apparatus of claim 1 wherein said distribution circuit includes an input logic circuit.
  - 25. The apparatus of claim 1 wherein said aggregation circuit includes an output logic circuit.
  - 26. The apparatus of claim 25 wherein said aggregation circuit generates control signals to activate and deactivate selected microcode controlled state machines.
  - 27. The apparatus of claim 25 wherein said aggregation circuit generates rule feedback for said microcode stored in said associated control stores of said plurality of microcode controlled state machines.
  - 28. The apparatus of claim 1, wherein said plurality of microcode controlled state machines are configured to monitor any bit of said input network traffic.
  - 29. The apparatus of claim 1 wherein said plurality of microcode controlled state machines, said distribution circuit, and said aggregation circuit operate to redirect said input network traffic.
  - 30. The apparatus of claim 1 wherein said plurality of microcode controlled state machines, said distribution circuit, and said aggregation circuit operate to duplicate said input network traffic.
  - 31. The apparatus of claim 1 wherein said plurality of microcode controlled state machines, said distribution circuit, and said aggregation circuit operate to limit the rate of said input network traffic.
  - 32. The apparatus of claim 1 wherein said plurality of microcode controlled state machines, said distribution circuit, and said aggregation circuit operate to process header and payload of said input network traffic in a unified manner.
  - 33. The apparatus of claim 1 positioned inside a firewall perimeter.
  - 34. The apparatus of claim 1 including a first port to receive said input network traffic, a second port to route said output network traffic, and a third port for management communications and routing of selective output network traffic.
  - 35. The apparatus of claim 1 wherein said distribution circuit, said plurality of microcode controlled state machines and said aggregation circuit form a first path routing traffic in a first direction, said apparatus further comprising a second path routing traffic in a second direction opposite said first direction, said second path including a second distribution circuit aligned with said aggregation circuit, a second plurality of microcode controlled state machines aligned with said plurality of microcode controlled state machines, and a second aggregation circuit aligned with said distribution circuit.
  - 36. The apparatus of claim 35 wherein said plurality of microcode controlled state machines and said second plurality of microcode controlled state machines exchange control information.
  - 37. The apparatus of claim 35 wherein said plurality of microcode controlled state machines and said second plurality of microcode controlled state machines dynamically alternate between processing traffic from said first path and said second path.
  - 38. The apparatus of claim 1 wherein said microcode is derived from a pre-defined, high level language.
  - 39. The apparatus of claim 1, wherein all of said plurality of microcode state machines have simultaneous access to a global state table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cpacket Networks Incorporated
Original Assignee
Cpacket Networks Incorporated
Inventors
Kay, Rony

Granted Patent

US 7,937,756 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/230
CPC Class Codes

H04L 49/00   Packet switching elements

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 69/12   Protocol engines

Apparatus and method for facilitating network security

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for facilitating network security

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links