System and Apparatus for Providing Network Security

US 20190020690A1
Filed: 09/18/2018
Published: 01/17/2019
Est. Priority Date: 03/17/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a rule engine configured to receive data flows, said data flows being between a network and an application, said rule engine being provided between said network and said application, said rule engine being configured to determine data flow information and in dependence on said information to perform an action with respect to said flow; and

a controller, said controller configured to provide control information to said rule engine to define one or more actions which are performable with respect to said flow,wherein communications between said rule engine and said controller are secure,wherein said controller is configured to perform a function with respect to at least one data flow in response to a determination that said data flow information associated with said at least one data flow is not present in said rules engine,wherein said rule engine comprises hardware, one or more programmable hardware processors, or a combination of both,wherein said controller comprises hardware, one or more programmable hardware processors, or a combination of both.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A rule engine receives data flows. The data flows are between a network and an application. The rule engine determines data flow information and in dependence on the information performs an action with respect to said flow. A controller provides control information to the rule engine to define one or more actions. The communications between said rule engine and said controller are secure.

17 Citations

24 Claims

1. A system comprising:
- a rule engine configured to receive data flows, said data flows being between a network and an application, said rule engine being provided between said network and said application, said rule engine being configured to determine data flow information and in dependence on said information to perform an action with respect to said flow; and
  
  a controller, said controller configured to provide control information to said rule engine to define one or more actions which are performable with respect to said flow,wherein communications between said rule engine and said controller are secure,wherein said controller is configured to perform a function with respect to at least one data flow in response to a determination that said data flow information associated with said at least one data flow is not present in said rules engine,wherein said rule engine comprises hardware, one or more programmable hardware processors, or a combination of both,wherein said controller comprises hardware, one or more programmable hardware processors, or a combination of both.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A system as claimed in claim 1, wherein said controller is configured to receive information from said rule engine about said data flows.
  - 3. A system as claimed in claim 1, wherein said rule engine has a first data store configured to store at least one first key and said controller has a second data store configured to store at least one second key.
  - 4. A system as claimed in claim 3, wherein at least one of said first and second data stores comprises a one time programmable memory.
  - 5. A system as claimed in claim 3, wherein at least one of said first and second data stores comprises a hardware security module.
  - 6. A system as claimed in claim 3, wherein at least one of said first and second key is stored in said data store at manufacture.
  - 7. A system as claimed in claim 1, wherein at least one of said rules engine and said controller is configured to receive a message from a trusted authority and to verify said message using a respective key of said at least one first key and said at least one second key.
  - 8. A system as claimed in claim 7, wherein the message received by the controller comprises a public key associated with said at least one first key of the rules engine and the message received by the rule engine comprises at least one public key associated with the at least one second key of the controller.
  - 9. A system as claimed in claim 1, wherein one of said rules engine and said controller is configured to send a message to the other of said rules engine and said controller, said message encrypted by a public key and signed with a private key of said one of said rules engine and said controller, said message comprising a further key to use for said secure communications between the rules engine and the controller.
  - 10. A system as claimed in claim 1, wherein said rule engine is provided in a first trusted domain and said controller is provided in a second trusted domain, different to the first domain.
  - 11. A system as claimed in claim 1, wherein said controller is provided in a trusted virtual machine.
  - 12. A system as claimed in claim 1, wherein a plurality of said rules engines are provided.
  - 13. A system as claimed in claim 1, wherein said data flow information comprises header information.
  - 14. A system as claimed in claim 1, wherein said rules engine is configured to perform a look up operation in dependence on said data flow information, said look operation providing one or more of state associated with the data flow, at least one rule, delivery information and a count.
  - 15. A system as claimed in claim 14, wherein the rules engine comprises an execution block configured to perform said at least one action defined by said rule and update information in a data store of said rules engine.
  - 16. A system as claim 1, wherein the function comprises a look up of said data flow information for said at least one data flow from a data store of the controller.
  - 17. A system as claimed in claim 16, wherein the function is a look up function for said rules engine.

18. A network interface device comprising:
- a rule engine configured to receive data flows, said data flows being between a network and an application, said rule engine being provided between said network and said application, said rule engine being configured to determine data flow information and in dependence on said information to perform an action with respect to said flow, said rule engine configured to receive control information from a controller defining one or more of said actions which are performable with respect to said flow, wherein communications between said rule engine and said controller are secure,wherein said rule engine is configured to send information about said data flows to said controller to enable the controller to perform a function with respect to at least one data flow in response to a determination that said data flow information associated with said at least one data flow is not present in said rules engine,wherein said rule engine comprises hardware, one or more programmable hardware processors, or a combination of both.

19. An server apparatus comprising:
- a controller, said controller configured to provide control information to a rule engine in a network interface device to define one or more actions, the rule engine configured receive data flows between a network and an application and to perform one or more of said actions with respect to said flow, wherein communications between said rule engine and said controller are secure,wherein said controller is configured to perform a function with respect to at least one data flow in response to a determination that said data flow information associated with said at least one data flow is not present in said rules engine,wherein said controller comprises hardware, one or more programmable hardware processors, or a combination of both.

20. A computer program product, the computer program product being embodied on a non-transient computer-readable medium and configured so as when executed on a processor to provide a rule engine which:
- receives data flows, said data flows being between a network and an application;
  
  determines data flow information and in dependence on said information to perform an action with respect to said flow; and
  
  receives control information from a controller defining one or more of said actions which are performable with respect to said flow, said rule engine having a first data store configured to store at least one first key, wherein communications between said rule engine and said controller are secure,wherein said rule engine is configured to send information about said data flows to said controller to enable the controller to perform a function with respect to at least one data flow in response to a determination that said data flow information associated with said at least one data flow is not present in said rules engine.

21. A computer program product, the computer program product being embodied on a non-transient computer-readable medium and configured so as, when executed on a processor, to provide a controller which:
- provides control information to a rule engine in a network interface device to define one or more actions, the rule engine configured to receive data flows between a network and an application and to perform one or more of said actions with respect to said flow;
  
  performs a function with respect to at least one data flow in response to a determination that said data flow information associated with said at least one data flow is not present in said rules engine,wherein communications between said rule engine and said controller are secure.

22. A firewall device comprising:
- a rule engine configured to receive data flows, said data flows being between a network and an application, said rule engine being provided between said network and said application, said rule engine being configured to determine data flow information and in dependence on said information to perform an action with respect to said flow, said rule engine configured to receive control information from a controller defining one or more of said actions which are performable with respect to said flow, wherein communications between said rule engine and said controller are secure,wherein said rule engine is configured to send information about said data flows to said controller to enable the controller to perform a function with respect to at least one data flow in response to a determination that said data flow information associated with said at least one data flow is not present in said rules engine,wherein said rule engine comprises hardware, one or more programmable hardware processors, or a combination of both.

23. A switch comprising:
- a rule engine configured to receive data flows, said data flows being between a network and an application, said rule engine being provided between said network and said application, said rule engine being configured to determine data flow information and in dependence on said information to perform an action with respect to said flow, said rule engine configured to receive control information from a controller defining one or more of said actions which are performable with respect to said flow, wherein communications between said rule engine and said controller are secure,wherein said rule engine is configured to send information about said data flows to said controller to enable the controller to perform a function with respect to at least one data flow in response to a determination that said data flow information associated with said at least one data flow is not present in said rules engine, andwherein said rule engine comprises hardware, one or more programmable hardware processors, or a combination of both.

24. A data processing device comprising a hypervisor, the hypervisor comprising:
- a rule engine configured to receive data flows, said data flows being between a network and an application, said rule engine being provided between said network and said application, said rule engine being configured to determine data flow information and in dependence on said information to perform an action with respect to said flow, said rule engine configured to receive control information from a controller defining one or more of said actions which are performable with respect to said flow, wherein communications between said rule engine and said controller are secure,wherein said rule engine is configured to send information about said data flows to said controller to enable the controller to perform a function with respect to at least one data flow in response to a determination that said data flow information associated with said at least one data flow is not present in said rules engine,wherein said rule engine comprises hardware, one or more programmable hardware processors, or a combination of both.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xilinx, Inc. (Advanced Micro Devices, Inc.)
Original Assignee
SolarFlare Communications Incorporated (Advanced Micro Devices, Inc.)
Inventors
Pope, Steven L., Riddoch, David J., Roberts, Derek

Granted Patent

US 10,601,874 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/06   for supporting key manageme...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

System and Apparatus for Providing Network Security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and Apparatus for Providing Network Security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links