RUNTIME ADAPTABLE SECURITY PROCESSOR

US 20120117610A1
Filed: 09/02/2011
Published: 05/10/2012
Est. Priority Date: 06/10/2003
Status: Abandoned Application

First Claim

Patent Images

1-19. -19. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A runtime adaptable security processor is disclosed. The processor architecture provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol layer and may also provide packet inspection through Layer 7. A high performance content search and rules processing security processor is disclosed which may be used for application layer and network layer security. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database for a certain number of active sessions. The session information that is not in the internal memory is stored and retrieved to/from an additional memory. An application running on an initiator or target can in certain instantiations register a region of memory, which is made available to its peer(s) for access directly without substantial host intervention through RDMA data transfer.

100 Citations

View as Search Results

39 Claims

1-19. -19. (canceled)

20. A security system comprising:
- a network, said network comprising one or more networked systems of one or more types, said security system providing multiple protocol layer security in said network, at least one of said one or more networked systems comprising a security processor, said security processor comprising a programmable content search and rule processing engine configured to search payload content of traffic within said network by applying a set of search rules, or take actions on matched rules, or a combination thereof, and said security processor comprising;
  
  (a) a runtime adaptable processor to provide adaptable hardware acceleration at multiple protocol layers based on processing the network traffic presented to said security processor, said runtime adaptable processor comprising a plurality of configurations, and a configuration controller, wherein said configuration controller is configured to dynamically map hardware functions to a plurality of hardware elements that are coupled to each other in a first configuration from the plurality of configurations at a first time and are coupled to each other in a second configuration from the plurality of configurations at a second time, the second configuration different than the first configuration; and
  
  (b) a programmable rules processing engine to provide rule searching and security processing at multiple protocol layers to the network traffic presented to said security processor, wherein the network traffic comprises a first packet and a second packet, wherein a state of the search rules applied to said second packet are stored in a memory, and said programmable rules processing engine is configured to determine whether the first packet is secure based on whether the first packet belongs to a connection of the second packet and on the stored state of the search rules applied to the second packet.
- View Dependent Claims (22, 23, 24, 25, 32, 38, 39)
- - 22. The security system of claim 20 further comprising:
    - a. at least one central manager for compiling and distributing security rules; and
      
      b. at least one security policy driver to communicate with the central manager and set up rules in said security processor on at least one of said one or more networked systems to analyze and enforce security based on the rules.
  - 23. The security system of claim 22 wherein the central manager comprises at least one of:
    - a. An Application Programming Interface for entering security rules;
      
      b. A Rules Compiler for compiling security rules;
      
      c. A Rules Distribution Engine to distribute rules to said at least one of said one or more networked systems;
      
      d. A Monitoring interface to monitor said network;
      
      e. An event recording engine and database to manage said network and collect events or reports from said plurality of said one or more networked systems;
      
      orf. a combination of two or more of the foregoing.
  - 24. The security system of claim 22 wherein at least one of said one or more networked systems provides security based on rules for:
    - a. OSI protocol layer two to provide layer two or Media Access Control layer security;
      
      orb. OSI protocol layer three to provide layer three or network layer security;
      
      orc. OSI protocol layer four to provide layer four or transport layer security;
      
      ord. OSI protocol layers five through seven to provide upper layer or application layer security;
      
      ore. a combination of any two or more of the foregoing.
  - 25. The security system of claim 20 including multiple protocol layer security that includes security functions performed at one or more protocol layers of the OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, digital rights management, instant message inspection, URL matching, application detection, malicious content identification, extrusion detection, or unauthorized access detection.
  - 32. The security system of claim 20 wherein one of said one or more networked systems is a blade server, thin server, media server, streaming media server, appliance server, Unix server, Linux server, Windows or Windows derivative server, AIX server, clustered server, database server, grid computing server, Voice over Internet Protocol (VoIP) server, wireless gateway server, security server, file server, network attached storage server, game server, router, switch, wireless access point, workstation, desktop computer, notebook computer, laptop computer, utility computing system, or gateway device.
  - 38. The security system of claim 20 providing a secure operating environment for a network protocol processing stack on one or more of said networked systems for trusted computing environment needs of the networked systems.
  - 39. The security system of claim 20, said security processor further comprising a controller configured to control a change from the first configuration to the second configuration based on a type of the network traffic.

21. A security system comprising:
- a storage area network comprising one or more networked systems comprising a security processor providing multiple protocol layer security in said storage area network, said security processor comprising a programmable content search and rule processing engine configured to search payload content of traffic within said storage area network by applying a set of search rules, or take actions on matched rules, or a combination thereof, said security processor comprising;
  
  (a) a runtime adaptable processor to provide adaptable hardware acceleration at multiple protocol layers based on processing the storage area network traffic presented to said security processor, said runtime adaptable processor comprising a plurality of configurations, and a configuration controller, wherein said configuration controller is configured to dynamically map hardware functions to a plurality of hardware elements that are coupled to each other in a first configuration from the plurality of configurations at a first time and are coupled to each other in a second configuration from the plurality of configurations at a second time, the second configuration different than the first configuration; and
  
  (b) a programmable rules processing engine to provide rule searching and security processing at multiple protocol layers to the network traffic presented to said security processor, wherein the network traffic comprises a first packet and a second packet, wherein a state of the search rules applied to said second packet are stored in a memory, and said programmable rules processing engine is configured to determine whether the first packet is secure based on whether the first packet belongs to a connection of the second packet and on the stored state of the search rules applied to the second packet.
- View Dependent Claims (34, 35, 36, 37)
- - 34. The security system of claim 21 further comprising:
    - a. at least one central manager for compiling and distributing storage area network security rules; and
      
      b. at least one security policy driver to communicate with the central manager and set up rules in said security processor on at least one of said one or more networked systems to analyze and enforce storage area network security based on the rules.
  - 35. The security system of claim 34 wherein the central manager comprises at least one of:
    - a. An Application Programming Interface for entering security rules;
      
      b. A Rules Compiler for compiling security rules;
      
      c. A Rules Distribution Engine to distribute rules to said plurality of said one or more networked systems;
      
      d. A Monitoring interface to monitor said storage area network;
      
      e. An event recording engine and database to manage said network and collect events or reports from said plurality of said networked systems;
      
      orf. a combination of two or more of the foregoing.
  - 36. The security system of claim 34 wherein at least one of said one or more networked systems provides security based on rules for:
    - a. OSI protocol layer two to provide layer two or Media Access Control (MAC) layer security;
      
      orb. OSI protocol layer three to provide layer three or network layer security;
      
      orc. OSI protocol layer four to provide layer four or transport layer security;
      
      ord. OSI protocol layers five through seven to provide upper layer or application layer security;
      
      ore. a combination of two or more of the foregoing.
  - 37. The security system of claim 21 including multiple protocol layer security that includes security functions performed at one or more protocol layers of the OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, digital rights management, instant message inspection, URL matching, application detection, malicious content identification, extrusion detection, unauthorized access detection, or detecting other security attacks, or a combination of two or more of the foregoing.

26. A security system comprising:
- a network, said network comprising one or more networked systems of one or more types, said security system providing multiple protocol layer security in said network, at least one of said one or more networked systems comprising a security processor providing remote direct memory access (RDMA) capability, said security processor comprising a programmable content search and rule processing engine configured to search payload content of traffic within said network by applying a set of search rules, or take actions on matched rules, or a combination thereof, said security processor comprising;
  
  (a) a runtime adaptable processor to provide adaptable hardware acceleration at multiple protocol layers based on processing the network traffic presented to said security processor, said runtime adaptable processor comprising a plurality of configurations, and a configuration controller, wherein said configuration controller is configured to dynamically map hardware functions to a plurality of hardware elements that are coupled to each other in a first configuration from the plurality of configurations at a first time and are coupled to each other in a second configuration from the plurality of configurations at a second time, the second configuration different than the first configuration; and
  
  (b) a programmable rules processing engine to provide rule searching and security processing at multiple protocol layers to the network traffic presented to said security processor, wherein the network traffic comprises a first packet and a second packet, wherein a state of the search rules applied to said second packet are stored in a memory, and said programmable rules processing engine is configured to determine whether the first packet is secure based on whether the first packet belongs to a connection of the second packet and on the stored state of the search rules applied to the second packet.
- View Dependent Claims (27, 28, 29, 30, 31, 33)
- - 27. The security system of claim 26 wherein said security processor provides a transport layer remote direct memory access capability.
  - 28. The security system of claim 26 further comprising:
    - a. at least one central manager for compiling and distributing security rules; and
      
      b. at least one security policy driver to communicate with the central manager and setup rules in said security processor on at least one of said one or more networked systems to analyze and enforce security based on the rules.
  - 29. The security system of claim 28 wherein the central manager comprises at least one of:
    - a. An Application Programming Interface for entering security rules;
      
      b. A Rules Compiler for compiling security rules;
      
      c. A Rules Distribution Engine to distribute rules to said at least one of said one or more networked systems;
      
      d. A Monitoring interface to monitor said network;
      
      e. An event recording engine and database to manage said network and collect events or reports from said one or more networked systems;
      
      orf. a combination of any of the foregoing.
  - 30. The security system of claim 28 wherein at least one of said one or more networked systems provides security based on rules for:
    - a. OSI protocol layer two to provide layer two or Media Access Control (MAC) layer security;
      
      orb. OSI protocol layer three to provide layer three or network layer security;
      
      orc. OSI protocol layer four to provide layer four or transport layer security;
      
      ord. OSI protocol layers five through seven to provide upper layer or application layer security;
      
      ore. a combination of any two or more of the foregoing.
  - 31. The security system of claim 26 including multiple protocol layer security that includes security functions performed at one or more protocol layers of the OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, digital rights management, instant message inspection, URL matching, application detection, malicious content identification, extrusion detection, or unauthorized access detection.
  - 33. The security system of claim 26 wherein one of said one or more networked systems is a blade server, thin server, media server, streaming media server, appliance server, Unix server, Linux server, Windows or Windows derivative server, AIX server, clustered server, database server, grid computing server, Voice over Internet Protocol (VoIP) server, wireless gateway server, security server, file server, network attached storage server, game server, router, switch, wireless access point, workstation, desktop computer, notebook computer, laptop computer, utility computing system, or gateway device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Memory Access Technologies LLC
Original Assignee
Memory Access Technologies LLC
Inventors
Pandya, Ashish A.

Application Number

US13/225,305
Publication Number

US 20120117610A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0485   Networking architectures fo...

H04L 63/20   for managing network securi...

H04L 67/1097   for distributed storage of ...

H04L 69/12   Protocol engines

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/32   Architecture of open system...

H04L 69/323   in the physical layer [OSI ...

H04L 69/326   in the transport layer [OSI...

H04L 69/329   in the application layer [O...

RUNTIME ADAPTABLE SECURITY PROCESSOR

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

39 Claims

Specification

Use Cases

Quick Links

Others

RUNTIME ADAPTABLE SECURITY PROCESSOR

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

39 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others