Packet firewalls of particular use in packet switching devices

US 20070261110A1
Filed: 05/02/2006
Published: 11/08/2007
Est. Priority Date: 05/02/2006
Status: Active Grant

First Claim

Patent Images

1. An apparatus for processing packets, the apparatus comprising:

a plurality of interfaces configured to receive and send packets;

a firewall configured to perform firewall functionality on packets; and

routing or switching or control functionality configured to control the processing and movement of packets between the plurality of interfaces and said firewall;

wherein the firewall is associated with a plurality of accesses, each interface of said interfaces is mapped to an access of said accesses;

wherein said performance of said firewall functionality performed on a particular packet is determined based on a particular entry access and a particular exit access of said accesses determined based on the routing of the particular packet between said interfaces, and programming of said firewall functionality based on said entry and exit accesses corresponding to the packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One or more firewalls are used to perform firewall functionality on packets based on the entry and exit accesses of each of the one or more firewalls being applied to a packet. For example, when firewalls are included in a router, the interfaces of the router are typically mapped to virtual firewalls and access thereof. Based on the determined routing of a particular packet, the firewalls to apply and their corresponding entry and exit accesses are identified. In order to decouple the application by the firewall itself of the security policies from the network topology and routing architecture (e.g., the network routing address information which is typically relied upon by current firewalls), the firewall functionality is defined based on the identified entry and exit accesses of a firewall, rather than based on network defined addresses, for example.

Citations

37 Claims

1. An apparatus for processing packets, the apparatus comprising:
- a plurality of interfaces configured to receive and send packets;
  
  a firewall configured to perform firewall functionality on packets; and
  
  routing or switching or control functionality configured to control the processing and movement of packets between the plurality of interfaces and said firewall;
  
  wherein the firewall is associated with a plurality of accesses, each interface of said interfaces is mapped to an access of said accesses;
  
  wherein said performance of said firewall functionality performed on a particular packet is determined based on a particular entry access and a particular exit access of said accesses determined based on the routing of the particular packet between said interfaces, and programming of said firewall functionality based on said entry and exit accesses corresponding to the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the firewall is a virtual firewall implemented in the apparatus.
  - 3. The apparatus of claim 2, wherein each of the plurality of interfaces is a physical interface.
  - 4. The apparatus of claim 2, wherein the particular entry access and the particular exit access are determined based on one or more lookup operations in one or more mapping data structures maintaining mappings between said accesses of the firewall and the plurality of interfaces.
  - 5. The apparatus of claim 2, wherein said programming of the firewall does not include references to the plurality of interfaces or Internet Protocol (IP) or media access control (MAC) addresses associated with the plurality of interfaces.
  - 6. The apparatus of claim 1, wherein said firewall includes at least three accesses, and said programming of said firewall references said at least three accesses.
  - 7. The apparatus of claim 1, wherein at least two of said interfaces are mapped to a single one of said accesses.
  - 8. The apparatus of claim 1, wherein the particular entry access and the particular exit access are determined based on one or more lookup operations in one or more mapping data structures maintaining mappings between said accesses of the firewall and the plurality of interfaces.
  - 9. The apparatus of claim 8, wherein said one or more mapping data structures includes a default access mapping specifying an access of said accesses to be used as default for the firewall.
  - 10. The apparatus of claim 1, wherein said processing of the packets includes determining the particular entry access and the particular exit access based on one or more lookup operations in one or more mapping data structures maintaining mappings between said accesses of the firewall and the plurality of interfaces.

11. An apparatus for processing packets, the apparatus comprising:
- a plurality of interfaces configured to receive and send packets;
  
  a plurality of firewalls with each configured to perform firewall functionality on packets, each of said firewalls including a plurality of accesses, with each of said interfaces mapped to one of said firewalls and an access associated therewith;
  
  wherein said performance of said firewall functionality performed on a particular packet is determined based on a particular firewall of said firewalls, an entry access and an exit access of said accesses of said particular firewall corresponding to the particular packet, and programming of the particular firewall referencing the entry access and the exit access; and
  
  routing or switching or control functionality configured to control the processing and movement of said packets between the plurality of interfaces and said firewalls.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 12. The apparatus of claim 11, wherein each of the plurality of firewalls is a virtual firewall implemented in the apparatus.
  - 13. The apparatus of claim 12, wherein the apparatus is configured to successively apply two of the plurality of firewalls to a particular packet.
  - 14. The apparatus of claim 12, wherein at least two of said firewalls are controlled by separate and independent management entities.
  - 15. The apparatus of claim 12, wherein each of the plurality of interfaces is a physical interface.
  - 16. The apparatus of claim 15, wherein said programming of said firewalls does not include references to the plurality of interfaces or Internet Protocol (IP) or media access control (MAC) addresses associated with the plurality of interfaces.
  - 17. The apparatus of claim 15, wherein the particular firewall and its entry and exit accesses for the particular packet are determined based on one or more lookup operations in one or more mapping data structures maintaining mappings between the plurality of interfaces and said firewalls and their accesses.
  - 18. The apparatus of claim 17, wherein said programming of said firewalls does not include references to the plurality of interfaces or Internet Protocol (IP) or media access control (MAC) addresses associated with the plurality of interfaces.
  - 19. The apparatus of claim 11, wherein the particular firewall includes at least three accesses, and said programming of the particular firewall references said at least three accesses.
  - 20. The apparatus of claim 11, wherein at least two of said interfaces are mapped to a single one of said accesses on a single one of said firewalls.
  - 21. The apparatus of claim 11, wherein the particular firewall and its entry and exit accesses for the particular packet are determined based on one or more lookup operations in one or more mapping data structures maintaining mappings between the plurality of interfaces and said firewalls and their accesses.
  - 22. The apparatus of claim 21, wherein said one or more mapping data structures includes a default access mapping specifying an access of said accesses to be used as default for at least one of said firewalls.
  - 23. The apparatus of claim 11, wherein said processing of the packets includes determining the particular firewall and its said entry and exit accesses based on one or more lookup operations in one or more mapping data structures maintaining mappings between the plurality of interfaces and said firewalls and their accesses.
  - 24. The apparatus of claim 11, wherein said programming of said firewalls does not include references to the plurality of interfaces or Internet Protocol (IP) or media access control (MAC) addresses associated with the plurality of interfaces.

25. An apparatus for processing packets, the apparatus comprising:
- a plurality of interfaces configured to receive and send packets;
  
  a plurality of virtual firewalls with each configured to perform firewall functionality on packets, each of said virtual firewalls including a plurality of accesses, with each of said interfaces mapped to one of said virtual firewalls and an access associated therewith;
  
  wherein said performance of said firewall functionality performed on a particular packet is determined based on one or more of said virtual firewalls applied to the particular packet, and said firewall functionality applied by each particular virtual firewall of said one or more of said virtual firewalls applied to the particular packet is determined based on the corresponding entry access and exit access of said accesses of said particular virtual firewall corresponding to the particular packet, and programming of the said particular virtual firewall referencing the entry access and the exit access; and
  
  routing or switching or control functionality configured to determine and control the processing and movement of said packets between the plurality of interfaces and said virtual firewalls, wherein said determination for the particular packet includes performing one or more lookup operations in one or more mapping data structures maintaining mappings between the plurality of interfaces and said accesses of the plurality of virtual firewalls to identify said one or more of said virtual firewalls and their entry and exit access thereof.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The apparatus of claim 25, wherein said programming of said virtual firewalls does not include references to the plurality of interfaces or Internet Protocol (IP) or media access control (MAC) addresses associated with the plurality of interfaces.
  - 27. The apparatus of claim 25, wherein at least one of said virtual firewalls includes at least three accesses and its said programming referencing said at least three accesses.
  - 28. The apparatus of claim 25, wherein at least two of said interfaces are mapped to a single one of said accesses on a single one of said virtual firewalls of said virtual firewalls.
  - 29. The apparatus of claim 25, wherein said one or more mapping data structures includes a default access mapping specifying an access of said accesses to be used as default for the firewall.

30. A method performed by a packet switching device, the packet switching device comprising:
- a plurality of interfaces and a plurality of accesses on each of a plurality of virtual firewalls;
  
  the method comprising;
  
  in response to an identification of a particular packet and an associated particular source interface of the plurality of interfaces and an associated particular destination interface of the plurality of interfaces, determining a particular virtual firewall of said virtual firewalls on which to apply to the particular packet, an entry access of the particular virtual firewall corresponding the particular source interface, and an exit access of the particular virtual firewall corresponding the particular destination interface; and
  
  applying the particular virtual firewall to the particular packet based on the entry access and the exit access to determine how to manipulate the particular packet; and
  
  performing said manipulation on the particular packet.
- View Dependent Claims (31, 32, 33)
- - 31. The method of claim 30, wherein said manipulation includes modification, dropping or forwarding of the particular packet.
  - 32. The method of claim 30, wherein the packet switching device includes one or more data structures defining mappings between each of the plurality of interfaces and said accesses of said virtual firewalls;
    - and wherein said determining the particular virtual firewall, the entry access and the exit access includes performing one or more lookup operations on said data structures.
  - 33. The method of claim 30, wherein each of said virtual firewalls do not include packet routing functionality.

34. A method performed by a packet switching device, the packet switching device comprising:
- a plurality of interfaces and a plurality of accesses on each of a plurality of virtual firewalls;
  
  the method comprising;
  
  in response to an identification of a particular packet and an associated particular source interface of the plurality of interfaces and an associated particular destination interface of the plurality of interfaces, determining a first particular virtual firewall of said virtual firewalls on which to apply to the particular packet, a first entry access of the particular virtual firewall corresponding the particular source interface and an first exit access of the first particular firewall, and determining a second particular virtual firewall of said virtual firewalls on which to apply to the particular packet, a second entry access of the second particular virtual firewall and a second exit access of the second particular virtual firewall corresponding the particular destination interface; and
  
  successively applying to the particular packet in order to determine how to manipulate the particular packet;
  
  the first particular virtual firewall based on the first entry and exit accesses and then the second particular virtual firewall based on the second entry and exit accesses; and
  
  performing said manipulation on the particular packet.

35. An apparatus for performing firewall protection, the apparatus comprising:
- means for identifying for the packet received on a first interface with a second interface identified as being a destination of the packet after applying a virtual firewall to the packet;
  
  a particular virtual firewall, an entry access of the particular virtual firewall, and an exit access of the particular virtual firewall; and
  
  means for applying the virtual firewall to the particular packet based on the entry access and the exit access to determine how to manipulate the particular packet.
- View Dependent Claims (36, 37)
- - 36. The apparatus of claim 35, including one or more data structures defining mappings between the first and the second interfaces and said entry and exit accesses of the particular virtual firewall;
    - and wherein said means for identifying includes a lookup mechanism configured to perform lookup operations on said data structures.
  - 37. The apparatus of claim 36, wherein said virtual firewall includes a third access in addition to the first and second accesses;
    - and wherein said one or more data structures maps an interface to the third access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Oz, Doron, Ben-Dvora, Nir, Eli, Eldad

Granted Patent

US 8,024,787 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/56   Routing software

H04L 63/0227   Filtering policies mail mes...

Packet firewalls of particular use in packet switching devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Packet firewalls of particular use in packet switching devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links