ROUTING DEVICE HAVING INTEGRATED MPLS-AWARE FIREWALL

US 20100043068A1
Filed: 11/14/2008
Published: 02/18/2010
Est. Priority Date: 08/14/2008
Status: Active Grant

First Claim

Patent Images

1. A network router comprising:

a plurality of interfaces configured to send and receive packets;

a firewall integrated within the network router, the firewall configured to apply stateful firewall services to the packets;

a routing engine comprising a control unit that executes a routing protocol to maintain routing information specifying routes through a network, wherein the control unit executes at least one protocol to establish virtual private network (VPN) tunnels for one or more customer VPNs;

a forwarding engine configured by the routing engine to select next hops for the packets in accordance with the routing information, the forwarding engine comprising a switch fabric to forward the packets to the interfaces based on the selected next hops, wherein the forwarding engine includes a flow control module that, upon receiving packets from the network, directs one or more of the packets to the firewall for application of the stateful firewall services; and

a user interface by which a user specifies one or more zones to be recognized by the firewall when applying the stateful firewall services to the packets, each of the zones defined by a list of one or more of the interfaces, wherein the user interface supports a syntax that allows the user to define the zones by specifying the customer VPNs within lists of interfaces associated with the zones.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to the packets. The user interface allows the user to define different zones and policies for different ones of the virtual security systems. In addition, the user interface supports a syntax that allows the user to define the zones for the firewall by specifying the customer VPNs as interfaces associated with the zones. The routing device generates mapping information for the integrated firewall to map the customer VPNs to specific MPLS labels for the MPLS tunnels carrying the customer'"'"'s traffic.

Citations

24 Claims

1. A network router comprising:
- a plurality of interfaces configured to send and receive packets;
  
  a firewall integrated within the network router, the firewall configured to apply stateful firewall services to the packets;
  
  a routing engine comprising a control unit that executes a routing protocol to maintain routing information specifying routes through a network, wherein the control unit executes at least one protocol to establish virtual private network (VPN) tunnels for one or more customer VPNs;
  
  a forwarding engine configured by the routing engine to select next hops for the packets in accordance with the routing information, the forwarding engine comprising a switch fabric to forward the packets to the interfaces based on the selected next hops, wherein the forwarding engine includes a flow control module that, upon receiving packets from the network, directs one or more of the packets to the firewall for application of the stateful firewall services; and
  
  a user interface by which a user specifies one or more zones to be recognized by the firewall when applying the stateful firewall services to the packets, each of the zones defined by a list of one or more of the interfaces, wherein the user interface supports a syntax that allows the user to define the zones by specifying the customer VPNs within lists of interfaces associated with the zones.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The network router of claim 1, wherein the firewall stores configuration data that specifies the zones defined by the user, at least one of the zones specifying a collection of interfaces that includes identifiers for one or more of the customer VPNs.
  - 3. The network router of claim 1, wherein the control unit of the routing engine executes a network services protocol that communicates mapping information between the routing engine and the firewall, wherein the mapping information associates multi-protocol label switched (MPLS) VPN labels for the VPNs with the identifiers for the customer VPNs.
  - 4. The network router of claim 3, wherein for VPN tunnels for which the network router operates as an egress label switched router, the mapping information between the routing engine and the firewall associates inner VPN labels affixed to packets received from the LSPs by the interface cards with respective ones of the identifiers for the customer VPNs.
  - 5. The network router of claim 3, wherein for VPN tunnels for which the network router operates as an ingress label switched router, the mapping information communicated between the routing engine and the firewall associates pairs of a VPN label and a forwarding next hop with respective ones of the identifiers for the customer VPNs, wherein the VPN labels are VPN labels to be subsequently affixed to the packets when output to the network by the forwarding engine.
  - 6. The network router of claim 3,wherein the user interface allows the user to specify one or more policies for the firewall,wherein, based on the mapping information, the firewall applies the policies to multi-protocol label switched (MPLS) packets received from the forwarding plane, andwherein, based on the mapping information, the firewall applies the policies to packets received from the forwarding plane that are destined to be forwarded by the routing device to the VPN tunnels as multi-protocol label switched (MPLS) packets.
  - 7. The network router of claim 1,wherein the firewall determines an input zone and an output zone for each of the packets based on the zones defined by the user,wherein the firewall applies one or more of the stateful firewall services to each of the packets based on the input zone and output zone determined for the packet, andwherein at least one of the input zone or output zone is defined by the user by specifying at least one of the customer VPNs within a collection of interfaces associated with the input zone or output zone.
  - 8. The network router of claim 1,wherein, based on the routing information, the routing engine programs the forwarding engine with forwarding information that associates network destinations and MPLS labels with specific next hops and corresponding interface ports of interface cards of the router,wherein the routing engine programs the firewall with at least a portion of the forwarding information, andwherein, for each packet received from the forwarding engine, the firewall performs a route lookup for the packet using the portion of the forwarding information to determine an output zone for the packet.
  - 9. The network router of claim 1, wherein the user interface is a text-based interface that supports a command syntax that allows the user to specify the zones.
  - 10. The network router of claim 1, wherein the user interface is a user interface output by the router to be presented remotely by a web browsers or management station.
  - 11. The network router of claim 1, wherein the stateful firewall services include multiple services including, intrusion deep packet inspection, virus scanning of application-layer data carried by the packets, layer seven security services.
  - 12. The network router of claim 1, wherein the network router comprises one of a provider edge router, a Broadband Remote Access Server (BRAS), a Broadband Network Gateway (BNG), Cable Modem Termination System (CMTS), a Multi-Service Edge router (MSE), a Gateway GPRS (General Packet Radio Services) Support Node (GGSN), a Packet Data Serving Node (PDSN), or a Public Data Network Gateway (PDN-GW), a data center device that provides routing and security functions for packets flowing in or out of a data center, a peering router that serves as a point of interconnection between network service providers, or an autonomous system border router (ASBR).
  - 13. The network router of claim 1, where the lists of interfaces are lists of logical interfaces, and wherein at least two or more or of the VPN tunnels for the customer VPNs flow through a single physical interface of the router.

14. A method comprising:
- executing, with a routing engine of a router, at least one protocol to establish virtual private network (VPN) tunnels for one or more customer VPNs;
  
  presenting, with the router, a user interface by which a user specifies one or more zones to be recognized by a firewall integrated within the router, wherein the user interface supports a syntax that allows the user to define the zones by specifying one or more the customer VPNs as interfaces associated with the zones;
  
  receiving, from a network, packets at a plurality of interfaces of the router;
  
  directing, with a flow control module of a forwarding engine of the router, one or more of the received packets to the firewall for application of stateful firewall services;
  
  applying stateful firewall services to the packets with the firewall of the network router based on the zones specified by the user;
  
  after applying stateful firewall services, forwarding at least some of the packets from the firewall to the forwarding engine;
  
  selecting next hops for the packets within the network with the forwarding engine; and
  
  forwarding the packets to the interfaces in accordance with the selected next hops.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The method of claim 14, where the lists of interfaces are lists of logical interfaces, and wherein at least two or more or of the VPN tunnels for the customer VPNs flow through a single physical interface of the router.
  - 16. The method of claim 14, further comprising storing within the router configuration data that specifies the zones defined by the user, at least one of the zones specifying a collection of interfaces that includes identifiers for one or more of the customer VPNs.
  - 17. The method of claim 14, further comprising communicating mapping information from the routing engine to the firewall, wherein the mapping information associates VPN labels for VPN tunnels with the identifiers for the customer VPNs as specified by the user interface.
  - 18. The method of claim 17, wherein for VPN tunnels for which the network router operates as an egress label switched router, the mapping information associates inner VPN labels affixed to packets received from the LSPs by the interface cards with respective ones of the identifiers for the customer VPNs.
  - 19. The method of claim 17, wherein for VPN tunnels for which the network router operates as an ingress label switched router, the mapping information associates pairs of a VPN label and a forwarding next hop with respective ones of the identifiers for the customer VPNs, wherein the VPN labels are to be subsequently affixed to the packets when output to the network by the forwarding engine.
  - 20. The method of claim 17,wherein the user interface allows the user to specify one or more policies for the firewall,wherein, based on the mapping information, the firewall applies the policies to multi-protocol label switched (MPLS) packets received from the forwarding plane that are encapsulated with at least one label, andwherein, based on the mapping information, the firewall applies the policies to packets received from the forwarding plane that are destined to be forwarded by the routing device.
  - 21. The method of claim 14, further comprisingstoring, within the router, configuration data that specifies the zones defined by the user, at least one of the zones specifying a collection of interfaces that includes identifiers for one or more customer VPNs;
    - communicating mapping information from the routing engine to the firewall, wherein the mapping information associates VPN labels used within the LSPs with the identifiers for the customer VPNs;
      
      determining, for each of the received packets, whether the received packet is an MPLS packet;
      
      when the received packet is an MPLS packet, accessing the mapping information to map an inner VPN label of received packet to one of the identifiers for customer VPNs to determine an input zone for the received packet;
      
      determining an output zone for the packet; and
      
      applying one or more of the stateful firewall services to each of the packets based on the input zone and output zone determined for the packet.
  - 22. The method of claim 14, further comprisingstoring, within the router, configuration data that specifies the zones defined by the user, at least one of the zones specifying a collection of interfaces that includes identifiers for one or more of the customer VPNs;
    - communicating mapping information from the routing engine to the firewall, wherein the mapping information associates VPN labels used for the VPN tunnels with the identifiers for the customer VPNs as specified by the user interface;
      
      determining, for each of the received packets, an input zone for the received packet;
      
      performing a route lookup with the firewall to determine whether the received packet is to be output on a VPN tunnel by the forwarding engine;
      
      when the received packet is to be output on the VPN tunnel;
      
      (1) determining from the route lookup a next hop for the packet and a VPN label that the forwarding engine will affix to the packet when forwarding the packet; and
      
      (2) accessing the mapping information to map the next hop and the VPN label to be affixed to the packet to one of the identifiers for customer VPNs to determine an output zone for the received packet when the packet is subsequently forwarded by the forwarding engine; and
      
      applying one or more of the stateful firewall services to each of the packets based on the input zone and output zone determined for the packet.
  - 23. The method of claim 14, wherein the user interface is one of a graphics-based interface or a text-based interface that supports a command syntax that allows the user to specify the zone.

24. A computer-readable storage medium comprising program instructions to cause a processor to:
- execute, with a routing engine of a router, at least one protocol to establish virtual private networks (VPN) tunnels to carry VPN communications for a plurality of customer VPNs; and
  
  present, with the router, a user interface by which a user specifies one or more zones to be recognized by a firewall integrated within the router, wherein the user interface supports a syntax that allows the user to define the zones by specifying one or more of the customer VPNs as interfaces associated with the zones.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Gomes, Joao Campelo F.N., Varadhan, Kannan

Granted Patent

US 8,307,422 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/50   using label swapping, e.g. ...

H04L 45/60   Router architectures

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

ROUTING DEVICE HAVING INTEGRATED MPLS-AWARE FIREWALL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

ROUTING DEVICE HAVING INTEGRATED MPLS-AWARE FIREWALL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links