Firewall including local bus
First Claim
1. A gateway for screening packets transferred over a network, the gateway including a plurality of network interfaces, each receiving and forwarding messages from a network through the gateway, a memory for temporarily storing packets received from a network, and a memory controller coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory, the gateway including:
- a memory bus for transferring the received packets to and from the memory, the memory bus providing a first path for retrieving packets from the memory including a first portion of a rule set, where one or more oft accessed rule sets are stored;
a firewall engine coupled to the memory bus, the firewall engine operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface;
a local bus coupled between the firewall engine and the memory providing a second separate non-overlapping path for retrieving packets to and from the memory; and
an expandable external rule memory configured to store lesser accessed rule sets and coupled to the local bus, the external rule memory including a second portion of the rule set accessible by the firewall engine using the local bus, wherein the firewall engine is operable to retrieve rules from the second portion of the rule set and screen packets in accordance with the retrieved rules.
2 Assignments
0 Petitions
Accused Products
Abstract
A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine coupled to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy. An expandable external rule memory is coupled to the local bus and includes one or more rule sets accessible by the firewall engine using the local bus. The firewall engine is operable to retrieve rules from a rule set and screen packets in accordance with the retrieved rules.
-
Citations
17 Claims
-
1. A gateway for screening packets transferred over a network, the gateway including a plurality of network interfaces, each receiving and forwarding messages from a network through the gateway, a memory for temporarily storing packets received from a network, and a memory controller coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory, the gateway including:
-
a memory bus for transferring the received packets to and from the memory, the memory bus providing a first path for retrieving packets from the memory including a first portion of a rule set, where one or more oft accessed rule sets are stored;
a firewall engine coupled to the memory bus, the firewall engine operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface;
a local bus coupled between the firewall engine and the memory providing a second separate non-overlapping path for retrieving packets to and from the memory; and
an expandable external rule memory configured to store lesser accessed rule sets and coupled to the local bus, the external rule memory including a second portion of the rule set accessible by the firewall engine using the local bus, wherein the firewall engine is operable to retrieve rules from the second portion of the rule set and screen packets in accordance with the retrieved rules. - View Dependent Claims (2, 3, 4, 5, 6, 15)
the local bus provides a second path for retrieving packets from the memory when the memory bus is busy.
-
-
7. In a gateway for screening packets transferred over a network, where the gateway includes a plurality of network interfaces, each receiving and forwarding messages from a network through the gateway, a memory for temporarily storing packets received from a network, a memory controller coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory using a memory bus, and a firewall engine coupled to the memory bus where the firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface, a rule set for use by the firewall engine in screening packets comprising:
-
a first portion of rules stored on an ASIC in an internal rule memory directly accessible by the firewall engine and representing a first portion of a rule space, the rule space defining one or more control policies for filtering incoming and outgoing packets; and
an expandable second portion of rules not stored on the ASIC, which enlarges the rule memory space providing additional rule memory to the gateway by storing the second portion of rules in an external memory, the expandable second portion of rules coupled by a bus to the firewall engine and accessible by the firewall engine to screen packets in accordance with the retrieved rules;
where the first portion of rules includes a pointer to a location in the expandable second portion of rules, where the pointer is in the form of a rule that includes both a pointer code and also an address in the external memory designating a next rule to evaluate when screening a current packet and where the next rule to evaluate is included in the second portion of rules. - View Dependent Claims (9, 13, 14)
the internal rule memory is located on an application specific integrated circuit.
-
-
14. The gateway of claim 13, wherein:
the external memory is not located on the application specific integrated circuit, but is associated with the application specific integrated circuit.
-
8. In a gateway for screening packets transferred over a network, where the gateway includes a plurality of network interfaces, each receiving and forwarding messages from a network through the gateway, a memory for temporarily storing packets received from a network, a memory controller coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory using a memory bus, and a firewall engine coupled to the memory bus where the firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface, a rule set for use by the firewall engine in screening packets comprising:
-
a first portion of rules stored in an internal rule memory directly accessible by the firewall engine; and
an expandable second portion of rules stored in an external memory coupled by a bus to the firewall engine and accessible by the firewall engine to screen packets in accordance with the retrieved rules, wherein the rule set includes a counter rule, the counter rule including a matching criteria, a count, a count threshold and an action, the count incremented after each detected occurrence of a match between a packet and the matching criteria associated with the counter rule, such that when the count exceeds the count threshold the action is invoked.
-
-
10. A gateway for screening packets received from a network including:
-
a plurality of network interfaces each for transmitting and receiving packets to and from a network;
an integrated packet processor including at least two processing engines and a direct memory access controller, where the at least two processing engines include a firewall engine and an authentication engine;
a dual-port memory for storing packets and a first portion of rules, including oft accessed rule sets used by the firewall engine for screening the packets;
an external rule memory including an expandable second portion of rules where the external rule memory is configured to store lesser accessed rule sets, where the first portion of rules includes a pointer to a location in the expandable second portion of rules, where the pointer is in the form of a rule that includes both a pointer code and also an address in the external memory designating a next rule to evaluate when screening a current packet and where the next rule to evaluate is included in the second portion of rules;
a memory bus for coupling the network interfaces, the packet processor and the dual-port memory;
a local bus separately coupling the packet processor, the dual-port memory and the external memory, the packet processor invoking the direct memory access controller to retrieve a packet directly from the dual-port memory using the local bus;
a memory controller for controlling a transfer of packets from the network interfaces to the dual-port memory; and
a processing unit for extracting information from a packet and providing the information to the packet processor for processing. - View Dependent Claims (11)
-
-
12. A method for screening packets transferred over a network, comprising:
-
providing a firewall engine coupled directly to both a primary memory bus and a local memory bus, where the primary memory bus and the local memory bus are separate and non-overlapping; and
retrieving packets from a memory and sending the packets to the firewall engine using the primary memory bus, if the primary memory bus is available, otherwise, using the local memory bus.
-
-
16. A gateway for screening packets transferred over a network, the gateway including a plurality of network interfaces, each receiving and forwarding messages from a network through the gateway, a memory for temporarily storing packets received from a network, and a memory controller coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory, the gateway including:
-
a memory bus for transferring the received packets to and from the memory, the memory bus providing a first path for retrieving packets from the memory;
a firewall engine coupled to the memory bus, the firewall engine operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface; and
a local bus coupled between the firewall engine and the memory providing a separate second path for the firewall engine to retrieve packets from the memory;
where the firewall engine accesses the memory using the memory bus when the local bus is busy or the local bus when the memory bus is busy.
-
-
17. A gateway for screening packets comprising:
-
a first portion of rules stored on an ASIC in an internal rule memory directly accessible by the firewall engine and representing a first portion of the rule space, the rule space defining one or more control policies for filtering incoming and outgoing packets; and
an expandable second portion of rules not stored on the ASIC, which enlarges the rule memory space providing additional rule memory to the gateway by storing the second portion of rules in an external memory, the expandable second portion of rules coupled by a bus to the firewall engine and accessible by the firewall engine to screen packets in accordance with the retrieved rules.
-
Specification