Packet firewalls of particular use in packet switching devices
First Claim
1. An apparatus for processing packets, the apparatus comprising:
- a plurality of interfaces configured to receive and send packets;
a firewall configured to perform firewall functionality on packets; and
routing or switching or control functionality configured to control the processing and movement of packets between the plurality of interfaces and said firewall;
wherein the firewall is associated with a plurality of accesses, each interface of said interfaces is mapped to an access of said accesses;
wherein said performance of said firewall functionality performed on a particular packet is determined based on a particular entry access and a particular exit access of said accesses determined based on the routing of the particular packet between said interfaces, and programming of said firewall functionality based on said entry and exit accesses corresponding to the packet.
1 Assignment
0 Petitions
Accused Products
Abstract
One or more firewalls are used to perform firewall functionality on packets based on the entry and exit accesses of each of the one or more firewalls being applied to a packet. For example, when firewalls are included in a router, the interfaces of the router are typically mapped to virtual firewalls and access thereof. Based on the determined routing of a particular packet, the firewalls to apply and their corresponding entry and exit accesses are identified. In order to decouple the application by the firewall itself of the security policies from the network topology and routing architecture (e.g., the network routing address information which is typically relied upon by current firewalls), the firewall functionality is defined based on the identified entry and exit accesses of a firewall, rather than based on network defined addresses, for example.
-
Citations
37 Claims
-
1. An apparatus for processing packets, the apparatus comprising:
-
a plurality of interfaces configured to receive and send packets;
a firewall configured to perform firewall functionality on packets; and
routing or switching or control functionality configured to control the processing and movement of packets between the plurality of interfaces and said firewall;
wherein the firewall is associated with a plurality of accesses, each interface of said interfaces is mapped to an access of said accesses;
wherein said performance of said firewall functionality performed on a particular packet is determined based on a particular entry access and a particular exit access of said accesses determined based on the routing of the particular packet between said interfaces, and programming of said firewall functionality based on said entry and exit accesses corresponding to the packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus for processing packets, the apparatus comprising:
-
a plurality of interfaces configured to receive and send packets;
a plurality of firewalls with each configured to perform firewall functionality on packets, each of said firewalls including a plurality of accesses, with each of said interfaces mapped to one of said firewalls and an access associated therewith;
wherein said performance of said firewall functionality performed on a particular packet is determined based on a particular firewall of said firewalls, an entry access and an exit access of said accesses of said particular firewall corresponding to the particular packet, and programming of the particular firewall referencing the entry access and the exit access; and
routing or switching or control functionality configured to control the processing and movement of said packets between the plurality of interfaces and said firewalls. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. An apparatus for processing packets, the apparatus comprising:
-
a plurality of interfaces configured to receive and send packets;
a plurality of virtual firewalls with each configured to perform firewall functionality on packets, each of said virtual firewalls including a plurality of accesses, with each of said interfaces mapped to one of said virtual firewalls and an access associated therewith;
wherein said performance of said firewall functionality performed on a particular packet is determined based on one or more of said virtual firewalls applied to the particular packet, and said firewall functionality applied by each particular virtual firewall of said one or more of said virtual firewalls applied to the particular packet is determined based on the corresponding entry access and exit access of said accesses of said particular virtual firewall corresponding to the particular packet, and programming of the said particular virtual firewall referencing the entry access and the exit access; and
routing or switching or control functionality configured to determine and control the processing and movement of said packets between the plurality of interfaces and said virtual firewalls, wherein said determination for the particular packet includes performing one or more lookup operations in one or more mapping data structures maintaining mappings between the plurality of interfaces and said accesses of the plurality of virtual firewalls to identify said one or more of said virtual firewalls and their entry and exit access thereof. - View Dependent Claims (26, 27, 28, 29)
-
-
30. A method performed by a packet switching device, the packet switching device comprising:
- a plurality of interfaces and a plurality of accesses on each of a plurality of virtual firewalls;
the method comprising;
in response to an identification of a particular packet and an associated particular source interface of the plurality of interfaces and an associated particular destination interface of the plurality of interfaces, determining a particular virtual firewall of said virtual firewalls on which to apply to the particular packet, an entry access of the particular virtual firewall corresponding the particular source interface, and an exit access of the particular virtual firewall corresponding the particular destination interface; and
applying the particular virtual firewall to the particular packet based on the entry access and the exit access to determine how to manipulate the particular packet; and
performing said manipulation on the particular packet. - View Dependent Claims (31, 32, 33)
- a plurality of interfaces and a plurality of accesses on each of a plurality of virtual firewalls;
-
34. A method performed by a packet switching device, the packet switching device comprising:
- a plurality of interfaces and a plurality of accesses on each of a plurality of virtual firewalls;
the method comprising;
in response to an identification of a particular packet and an associated particular source interface of the plurality of interfaces and an associated particular destination interface of the plurality of interfaces, determining a first particular virtual firewall of said virtual firewalls on which to apply to the particular packet, a first entry access of the particular virtual firewall corresponding the particular source interface and an first exit access of the first particular firewall, and determining a second particular virtual firewall of said virtual firewalls on which to apply to the particular packet, a second entry access of the second particular virtual firewall and a second exit access of the second particular virtual firewall corresponding the particular destination interface; and
successively applying to the particular packet in order to determine how to manipulate the particular packet;
the first particular virtual firewall based on the first entry and exit accesses and then the second particular virtual firewall based on the second entry and exit accesses; and
performing said manipulation on the particular packet.
- a plurality of interfaces and a plurality of accesses on each of a plurality of virtual firewalls;
-
35. An apparatus for performing firewall protection, the apparatus comprising:
-
means for identifying for the packet received on a first interface with a second interface identified as being a destination of the packet after applying a virtual firewall to the packet;
a particular virtual firewall, an entry access of the particular virtual firewall, and an exit access of the particular virtual firewall; and
means for applying the virtual firewall to the particular packet based on the entry access and the exit access to determine how to manipulate the particular packet. - View Dependent Claims (36, 37)
-
Specification