SECURITY DEVICE IMPLEMENTING NETWORK FLOW PREDICTION

US 20140215560A1
Filed: 03/15/2013
Published: 07/31/2014
Est. Priority Date: 01/30/2013
Status: Active Grant

First Claim

Patent Images

1. A security device for processing a plurality of network flows, comprising:

one or more packet processors configured to receive incoming data packets associated with one or more network flows, at least one of the packet processors being assigned as an owner of one or more network flows, and each packet processor processing data packets associated with flows for which it is the assigned owner; and

a packet processing manager configured to assign ownership of network flows to the one or more packet processors, the packet processing manager comprising a global flow table containing global flow table entries mapping network flows to packet processor ownership assignments and a predict flow table containing predict flow entries mapping predicted network flows to packet processor ownership assignments,wherein each predict flow entry comprising a predict key and associated packet processor ownership assignment, the predict key comprising a plurality of data fields identifying a predicted network flow where the value of one or more of the data fields is unknown.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security device for processing network flows is described, including: one or more packet processors configured to receive incoming data packets associated with network flows where a packet processor is assigned as an owner of network flows and each packet processor processes data packets associated with flows for which it is the assigned owner; and a packet processing manager configured to assign ownership of network flows to the packet processors where the packet processing manager includes a global flow table containing global flow table entries mapping network flows to packet processor ownership assignments and a predict flow table containing predict flow entries mapping predicted network flows to packet processor ownership assignments. A predict flow entry includes a predict key and associated packet processor ownership assignment. The predict key includes multiple data fields identifying a predicted network flow where one or more of the data fields have a wildcard value.

Citations

16 Claims

1. A security device for processing a plurality of network flows, comprising:
- one or more packet processors configured to receive incoming data packets associated with one or more network flows, at least one of the packet processors being assigned as an owner of one or more network flows, and each packet processor processing data packets associated with flows for which it is the assigned owner; and
  
  a packet processing manager configured to assign ownership of network flows to the one or more packet processors, the packet processing manager comprising a global flow table containing global flow table entries mapping network flows to packet processor ownership assignments and a predict flow table containing predict flow entries mapping predicted network flows to packet processor ownership assignments,wherein each predict flow entry comprising a predict key and associated packet processor ownership assignment, the predict key comprising a plurality of data fields identifying a predicted network flow where the value of one or more of the data fields is unknown.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The security device of claim 1, wherein the predict key comprises the 5-tuple information of a predicted network flow where one or more of the 5-tuple information has an unknown value.
  - 3. The security device of claim 1, wherein a predict flow entry is added in the predict flow table when data packets associated with a parent flow are received by a packet processor, the predict flow entry identifying a predicted network flow being a child flow corresponding to the parent flow by using wildcard values in the predict key and the predict flow entry mapping the predicted network flow to the packet processor assigned as owner of the parent flow.
  - 4. The security device of claim 3, wherein the parent flow and the child flow comprise a file transfer protocol session or a voice-over-IP session.
  - 5. The security device of claim 3, wherein the parent flow comprises a control session and the child flow comprise a data session associated with the control session.
  - 6. The security device of claim 1, wherein a packet processor forwards a received data packet to the packet processing manager when no entry for a network flow is found in a local memory, the packet processing manager looks up the network flow in the global flow table and the predict flow table;
    - wherein when a match is found in the predict flow table, the packet processing manager adds an entry in the global flow table for the network flow using the packet processor ownership assignment in the predict flow entry.
  - 7. The security device of claim 1, wherein the predict flow table comprises a ternary content-addressable memory (TCAM).
  - 8. The security device of claim 1, further comprising:
    - one or more packet processing cards, each having one or more packet processors formed thereon, each packet processing card having a data port for receiving and transmitting data is packets and a local flow table; and
      
      a switching fabric in communication with the one or more packet processing cards and the packet processing manager,wherein the one or more packet processing cards learn of ownership assignments of network flows from the packet processing manager as data packets are being received, the local flow table stores entries mapping network flows to packet processor ownership assignments that are learned from the packet processing manager.

9. A method for processing a plurality of network flows in a security device comprising a plurality of packet processing cards communicating through a switching fabric, each packet processing card including one or more packet processors, the method comprising:
- receiving a first data packet at a packet processing card;
  
  sending a message to a packet processing manager to add a predict flow entry;
  
  adding the predict flow entry in a predict flow table using a predict key having a plurality of data fields identifying a predicted network flow where the value of one or more of the data fields is unknown, the predict key being associated with a packet processor ownership assignment of the first data packet;
  
  receiving a second data packet at a packet processing card;
  
  forwarding the second data packet to the packet processing manager;
  
  looking up a network flow for the second data packet in the predict flow table;
  
  when the network flow for the second data packet is found in the predict flow table, adding an entry in a global flow table of the packet processing manager, the global flow table is containing entries mapping network flows to packet processor ownership assignments, the entry identifying the owner packet processor of the first data packet as the owner packet processor of the second data packet;
  
  sending a message from the packet processing manager to the owner packet processor informing the assigned packet processor of the ownership assignment of the second data packet;
  
  receiving a message at the packet processing manager from the owner packet processor indicating acceptance of the ownership assignment;
  
  storing a binding entry in the global flow table mapping the network flow to the owner packet processor; and
  
  processing the second data packet at the owner packet processor.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein looking up the network flow for the second data packet in the predict flow table comprises:
    - looking up the network flow for the second data packet in the predict flow table and the global flow table.
  - 11. The method of claim 9, wherein looking up the network flow for the second data packet in the predict flow table comprises:
    - looking up the network flow for the second data packet in the predict flow table and the s global flow table simultaneously.
  - 12. The method of claim 9, wherein receiving the first data packet at the packet processing card comprises:
    - receiving a data packet at a packet processing card, the data packet being associated with a parent session with a child session to be determined, the predict flow entry being made for the child session to be determined.
  - 13. The method of claim 12, wherein the parent flow and the child flow comprise a file transfer protocol session or a voice-over-IP session.
  - 14. The method of claim 12, wherein the parent flow comprises a control session and the child flow comprise a data session associated with the control session.
  - 15. The method of claim 9, wherein the predict key comprises the 5-tuple information of a predicted network flow where one or more of the 5-tuple information has an unknown value.
  - 16. The method of claim 9, further comprising:
    - receiving a third data packet at a packet processing card;
      
      when a network flow associated with the third data packet is found in the global flow table, sending a message from the packet processing manager to the packet processing card receiving the third data packet informing the receiving packet processing card the ownership assignment for the network flow;
      
      adding an entry in a local flow table of the packet processing card receiving the third data packet, the entry mapping the network flow to the owner packet processor;
      
      forwarding the data packet from the packet processing manager to the owner packet processor; and
      
      processing the data packet at the owner packet processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Roberson, William A.

Granted Patent

US 9,240,975 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0254   Stateful filtering

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/142   Managing session states for...

H04L 9/40   Network security protocols

SECURITY DEVICE IMPLEMENTING NETWORK FLOW PREDICTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY DEVICE IMPLEMENTING NETWORK FLOW PREDICTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links