Cluster Architecture for Network Security Processing
First Claim
1. A computer-readable storage medium comprising instructions to cause a computing device to perform a method for assigning network flow processing tasks within a cluster comprising a plurality of communicatively coupled computing devices, the method comprising:
- maintaining a flow assignment data structure comprising mappings between network flows and cluster computing devices assigned thereto;
identifying a network flow for processing by the cluster;
determining whether the network flow is already being processed by a cluster computing device using the flow assignment data structure;
assigning the network flow to a selected one of the cluster computing devices when the flow has not been assigned to a cluster computing device; and
updating the flow assignment data structure to map the network flow to the assigned cluster computing device.
10 Assignments
0 Petitions
Accused Products
Abstract
A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.
-
Citations
45 Claims
-
1. A computer-readable storage medium comprising instructions to cause a computing device to perform a method for assigning network flow processing tasks within a cluster comprising a plurality of communicatively coupled computing devices, the method comprising:
-
maintaining a flow assignment data structure comprising mappings between network flows and cluster computing devices assigned thereto; identifying a network flow for processing by the cluster; determining whether the network flow is already being processed by a cluster computing device using the flow assignment data structure; assigning the network flow to a selected one of the cluster computing devices when the flow has not been assigned to a cluster computing device; and updating the flow assignment data structure to map the network flow to the assigned cluster computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a cluster comprising a plurality of communicatively coupled computing devices, wherein one of the cluster computing devices is configured to operate as a cluster master; a network interface communicatively coupling the cluster to an external network; a flow assignment module implemented on the cluster master computing device and configured to assign network flows to the cluster computing devices according to one or more flow assignment rules, wherein the cluster computing devices are configured to receive inbound network traffic via the network interface, and wherein each of the cluster computing devices comprises a traffic processing module configured to ignore inbound network traffic that is not associated with a network flow assigned thereto, and to process inbound network traffic related to network flows that are assigned to the cluster computing device according to a security policy. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method for assigning network flows within a cluster comprising a plurality of computing devices, the method comprising:
-
maintaining a flow assignment data structure comprising mappings between network flows and computing devices assigned thereto; receiving network traffic on a network interface, the network traffic corresponding to a network flow; determining whether the received network flow has been assigned one of the computing devices using the flow assignment data structure; dropping the network traffic if the received network flow has been assigned to a computing device; and assigning the network flow to a selected one of the plurality of computing devices if the network flow is not assigned to a computing device by; identifying one or more computing devices that are eligible to be assigned the received network flow using the flow assignment data structure and one or more flow assignment rules, selecting one of the one or more eligible computing devices according to a selection criteria, and configuring the selected computing device to process network traffic associated with the received network flow. - View Dependent Claims (31, 32, 33, 34, 35)
-
-
36. A method for processing network traffic by a computing device in a cluster comprising a plurality of computing devices, comprising:
-
receiving a network flow assignment to assign one or more network flows to the computing device; receiving network traffic relating to a plurality of different network flows; processing the received network traffic by; identifying network traffic associated with network flows assigned to the computing device, processing the identified network traffic according to a security policy, and dropping network traffic that is not identified as associated with a network flow assigned to the computing device. - View Dependent Claims (37, 38, 39, 40)
-
-
41. A cluster computing device, comprising:
-
a communication interface communicatively coupled to an external network interface and a cluster interface; and a traffic processing module operable on a processor of the cluster computing device and configured to receive a network flow assignment from a cluster master via the cluster interface, the network flow assignment identifying one or more network flows assigned to the cluster computing device, wherein the traffic processing module is configured to receive network traffic associated with a plurality of different network flows on the external network interface, and wherein upon receiving the network traffic, the traffic processing module is configured to identify network traffic associated with the one or more network flows assigned to the cluster computing device, to process the identified network traffic according to a security policy, and to drop network traffic that is not identified as assigned to the cluster computing device. - View Dependent Claims (42, 43, 44, 45)
-
Specification