Network interface device

US 20070208854A1
Filed: 03/03/2006
Published: 09/06/2007
Est. Priority Date: 03/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for defining a policy including a set of rules for a packet forwarding device, the method comprising:

receiving information sufficient to enable a first rule related to one of security or traffic management to be defined; and

based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are methods and apparatus, including computer program products, for defining a policy including a set of rules for a packet forwarding device by receiving information sufficient to enable a first rule related to one of security or traffic management to be defined, and based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined.

58 Citations

View as Search Results

27 Claims

1. A method for defining a policy including a set of rules for a packet forwarding device, the method comprising:
- receiving information sufficient to enable a first rule related to one of security or traffic management to be defined; and
  
  based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the second rule is defined without requiring any further information to be received.
  - 3. The method of claim 1, wherein the information sufficient to enable the first rule to be defined is received from a user, and the second rule is automatically defined without requiring any further input from the user.
  - 4. The method of claim 1, wherein the packet forwarding device is capable of processing data packets received from a local area network and bound for a wide area network in accordance with the defined policy.
  - 5. The method of claim 1, wherein the packet forwarding device is capable of processing data packets received from a wide area network and bound for a local area network in accordance with the defined policy.
  - 6. The method of claim 1, wherein receiving information sufficient to enable a first rule related to security or traffic management to be defined comprises:
    - receiving first information identifying a service; and
      
      receiving second information defining a set of actions to govern data traffic associated with the identified service.
  - 7. The method of claim 6, wherein the second information comprises one or more of the following:
    - information related to attributes of IP address matching, information related to operation parameters, and information related to service parameters.
  - 8. The method of claim 1, wherein receiving information sufficient to enable a first rule related to security or traffic management to be defined comprises:
    - receiving first information identifying a total amount of available bandwidth for a network link;
      
      receiving second information identifying a class of service; and
      
      determining a percentage of the total amount of available bandwidth to be guaranteed to the identified class of service.
  - 9. The method of claim 1, further comprising:
    - accessing pre-stored information associating each of a set of services with a class of service and associating each of a set of classes of service with one or more services, wherein;
      
      the set of services comprises one or more of the following;
      
      a voice service, a video service, and a data service; and
      
      the set of classes of service comprises one or more of the following;
      
      a premium class of service, a critical class of service, and a standard class of service.
  - 10. The method of claim 9, wherein automatically enabling a corresponding second rule related to the other one of security or traffic management to be defined comprises:
    - examining the received information to identify a service the first rule related to one of security or traffic management is to be applied; and
      
      enabling a second rule related to the other one or security or traffic management to be defined based on the class of service associated with the identified service.
  - 11. The method of claim 10, wherein when the service is identified as a voice service, the enabling comprises:
    - identifying a number of calls to be simultaneously permitted per codec for the premium class of service associated with the voice service.
  - 12. The method of claim 9, wherein automatically enabling a corresponding second rule related to the other one of security or traffic management to be defined comprises:
    - examining the received information to identify a class of service the first rule related to one of security or traffic management is to be applied; and
      
      enabling a second rule related to the other one or security or traffic management to be defined based on the one or more services associated with the identified class of service.

13. An apparatus comprising:
- management logic to;
  
  receive information sufficient to enable a first rule related to one of security or traffic management to be defined,enable a corresponding second rule related to the other one of security or traffic management to be defined based on the received information, andstore attributes of the first rule and attributes of the second rule in a configuration database; and
  
  coordination logic to;
  
  send a first signal to a first engine of a packet forwarding device to notify the first engine of the newly-stored attributes of the first rule, andsend a second signal to a second engine of the packet forwarding device to notify the second engine of the newly-stored attributes of the second rule.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The apparatus of claim 13, wherein the information sufficient to enable the first rule related to one of security or traffic management to be defined is provided by a user using a graphical user interface.
  - 15. The apparatus of claim 14, wherein the second rule related to the other one of security or traffic management is automatically defined without requiring any further input to be received from the user.
  - 16. The apparatus of claim 13, wherein the second rule related to the other one of security or traffic management is defined without requiring any further information to be received by the management logic.
  - 17. The apparatus of claim 13, wherein:
    - the first rule is related to security and the first engine is a security engine; and
      
      the second rule is related to traffic management and the second engine is a quality of service engine.
  - 18. The apparatus of claim 13, wherein:
    - the first rule is related to traffic management and the first engine is a quality of service engine; and
      
      the second rule is related to security and the second engine is a security engine.
  - 19. The apparatus of claim 13, wherein the coordination logic is to configure a first engine and a second engine of a packet forwarding device that is capable of processing data packets passing between a local area network and a wide area network.

20. A network device comprising:
- a first network interface and a second network interface, each of the network interfaces being capable of bidirectional communication;
  
  a policy including a set of rules for the device, the set of rules including security rules and traffic management rules;
  
  a security engine to filter packets received at the first network interface of the device, the security engine comprising logic to classify each of the packets received at the first network interface, and logic to process the classified packets in accordance with one or more of the security rules to identify accepted packets; and
  
  a quality of service engine to schedule the accepted packets for transmission through the second network interface of the device, the quality of service engine comprising logic to queue the accepted packets for transmission based on the classifying performed by the security engine, and logic to process each of the accepted packets queued for transmission in accordance with one or more of the traffic management rules.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The device of claim 20, wherein for each packet received at the network interface, the security engine comprises logic to identify a data flow associated with the packet.
  - 22. The device of claim 21, wherein the logic to identify the data flow associated with the packet comprises logic to examine network layer addressing data in the packet.
  - 23. The device of claim 22, wherein the logic to examine the network layer addressing data comprises logic to identify destination network layer addresses of the packet.
  - 24. The device of claim 21, wherein the logic to identify the data flow associated with the packet comprises logic to examine application layer data in the packet.
  - 25. The device of claim 20, wherein the logic to classify a packet received at the first network interface comprises logic to:
    - examine the packet to identify a service associated with the packet;
      
      determine which one of the security rules is to be applied to the packet based on its identified service; and
      
      classify the packet in accordance with the security rule to be applied.
  - 26. The device of claim 20, wherein the logic to process the classified packets in accordance with one or more of the security rules to identify accepted packets comprises logic to perform functionality of one or more of the following:
    - network address translation, application layer gateway, and admission control.
  - 27. The device of claim 20, wherein the logic to process each of the accepted packets queued for transmission in accordance with one or more of the traffic management rules comprises logic to perform one or more of the following:
    - rate shaping packet processing, maximum segment size packet processing, and type of service packet processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
Sridhar, Manickam R., Wiryaman, Santa

Granted Patent

US 7,970,899 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 63/029 Firewall traversal, e.g. tu...

H04L 63/20 for managing network securi...

Network interface device

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Network interface device

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links