Firewall including local bus

US 6,701,432 B1
Filed: 04/01/1999
Issued: 03/02/2004
Est. Priority Date: 04/01/1999
Status: Expired due to Term

First Claim

Patent Images

1. A gateway for screening packets transferred over a network, the gateway including a plurality of network interfaces, each receiving and forwarding messages from a network through the gateway, a memory for temporarily storing packets received from a network, and a memory controller coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory, the gateway including:

a memory bus for transferring the received packets to and from the memory, the memory bus providing a first path for retrieving packets from the memory including a first portion of a rule set, where one or more oft accessed rule sets are stored;

a firewall engine coupled to the memory bus, the firewall engine operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface;

a local bus coupled between the firewall engine and the memory providing a second separate non-overlapping path for retrieving packets to and from the memory; and

an expandable external rule memory configured to store lesser accessed rule sets and coupled to the local bus, the external rule memory including a second portion of the rule set accessible by the firewall engine using the local bus, wherein the firewall engine is operable to retrieve rules from the second portion of the rule set and screen packets in accordance with the retrieved rules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine coupled to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy. An expandable external rule memory is coupled to the local bus and includes one or more rule sets accessible by the firewall engine using the local bus. The firewall engine is operable to retrieve rules from a rule set and screen packets in accordance with the retrieved rules.

Citations

17 Claims

1. A gateway for screening packets transferred over a network, the gateway including a plurality of network interfaces, each receiving and forwarding messages from a network through the gateway, a memory for temporarily storing packets received from a network, and a memory controller coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory, the gateway including:
- a memory bus for transferring the received packets to and from the memory, the memory bus providing a first path for retrieving packets from the memory including a first portion of a rule set, where one or more oft accessed rule sets are stored;
  
  a firewall engine coupled to the memory bus, the firewall engine operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface;
  
  a local bus coupled between the firewall engine and the memory providing a second separate non-overlapping path for retrieving packets to and from the memory; and
  
  an expandable external rule memory configured to store lesser accessed rule sets and coupled to the local bus, the external rule memory including a second portion of the rule set accessible by the firewall engine using the local bus, wherein the firewall engine is operable to retrieve rules from the second portion of the rule set and screen packets in accordance with the retrieved rules.
- View Dependent Claims (2, 3, 4, 5, 6, 15)
- - 2. The gateway of claim 1 wherein the firewall engine is implemented in a hardware ASIC.
  - 3. The gateway of claim 2 wherein the ASIC includes an authentication engine operable to authenticate a retrieved packet contemporaneously with the screening of the retrieved packet by the firewall engine.
  - 4. The gateway of claim 3 further including a decryption/encryption engine for decrypting and encrypting retrieved packets.
  - 5. The gateway of claim 1 wherein the memory is a dual-port memory configured to support simultaneous read or write access from each of the memory bus and the local bus.
  - 6. The gateway of claim 1 further including a direct memory access controller configured for controlling memory accesses by the firewall engine to the memory when using the local bus.
  - 15. The gateway of claim 1, wherein:

7. In a gateway for screening packets transferred over a network, where the gateway includes a plurality of network interfaces, each receiving and forwarding messages from a network through the gateway, a memory for temporarily storing packets received from a network, a memory controller coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory using a memory bus, and a firewall engine coupled to the memory bus where the firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface, a rule set for use by the firewall engine in screening packets comprising:
- a first portion of rules stored on an ASIC in an internal rule memory directly accessible by the firewall engine and representing a first portion of a rule space, the rule space defining one or more control policies for filtering incoming and outgoing packets; and
  
  an expandable second portion of rules not stored on the ASIC, which enlarges the rule memory space providing additional rule memory to the gateway by storing the second portion of rules in an external memory, the expandable second portion of rules coupled by a bus to the firewall engine and accessible by the firewall engine to screen packets in accordance with the retrieved rules;
  
  where the first portion of rules includes a pointer to a location in the expandable second portion of rules, where the pointer is in the form of a rule that includes both a pointer code and also an address in the external memory designating a next rule to evaluate when screening a current packet and where the next rule to evaluate is included in the second portion of rules.
- View Dependent Claims (9, 13, 14)
- - 9. The rule set of claim 7, wherein the first portion of rules includes a pointer to a location in the second portion of rules, where the pointer is in the form of a rule that includes both a pointer code and also an address in the external memory designating a next rule to evaluate when screening a current packet and where the next rule to evaluate is included in the second portion of rules.
  - 13. The gateway of claim 7, wherein:
14. The gateway of claim 13, wherein:
- the external memory is not located on the application specific integrated circuit, but is associated with the application specific integrated circuit.

8. In a gateway for screening packets transferred over a network, where the gateway includes a plurality of network interfaces, each receiving and forwarding messages from a network through the gateway, a memory for temporarily storing packets received from a network, a memory controller coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory using a memory bus, and a firewall engine coupled to the memory bus where the firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface, a rule set for use by the firewall engine in screening packets comprising:
- a first portion of rules stored in an internal rule memory directly accessible by the firewall engine; and
  
  an expandable second portion of rules stored in an external memory coupled by a bus to the firewall engine and accessible by the firewall engine to screen packets in accordance with the retrieved rules, wherein the rule set includes a counter rule, the counter rule including a matching criteria, a count, a count threshold and an action, the count incremented after each detected occurrence of a match between a packet and the matching criteria associated with the counter rule, such that when the count exceeds the count threshold the action is invoked.

10. A gateway for screening packets received from a network including:
- a plurality of network interfaces each for transmitting and receiving packets to and from a network;
  
  an integrated packet processor including at least two processing engines and a direct memory access controller, where the at least two processing engines include a firewall engine and an authentication engine;
  
  a dual-port memory for storing packets and a first portion of rules, including oft accessed rule sets used by the firewall engine for screening the packets;
  
  an external rule memory including an expandable second portion of rules where the external rule memory is configured to store lesser accessed rule sets, where the first portion of rules includes a pointer to a location in the expandable second portion of rules, where the pointer is in the form of a rule that includes both a pointer code and also an address in the external memory designating a next rule to evaluate when screening a current packet and where the next rule to evaluate is included in the second portion of rules;
  
  a memory bus for coupling the network interfaces, the packet processor and the dual-port memory;
  
  a local bus separately coupling the packet processor, the dual-port memory and the external memory, the packet processor invoking the direct memory access controller to retrieve a packet directly from the dual-port memory using the local bus;
  
  a memory controller for controlling a transfer of packets from the network interfaces to the dual-port memory; and
  
  a processing unit for extracting information from a packet and providing the information to the packet processor for processing.
- View Dependent Claims (11)
- - 11. The gateway of claim 10 wherein the integrated packet processor includes a separate encryption/decryption engine for encrypting and decrypting packets received by the gateway.

12. A method for screening packets transferred over a network, comprising:
- providing a firewall engine coupled directly to both a primary memory bus and a local memory bus, where the primary memory bus and the local memory bus are separate and non-overlapping; and
  
  retrieving packets from a memory and sending the packets to the firewall engine using the primary memory bus, if the primary memory bus is available, otherwise, using the local memory bus.

16. A gateway for screening packets transferred over a network, the gateway including a plurality of network interfaces, each receiving and forwarding messages from a network through the gateway, a memory for temporarily storing packets received from a network, and a memory controller coupled to each of the network interfaces and configured to coordinate the transfer of received packets to and from the memory, the gateway including:
- a memory bus for transferring the received packets to and from the memory, the memory bus providing a first path for retrieving packets from the memory;
  
  a firewall engine coupled to the memory bus, the firewall engine operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface; and
  
  a local bus coupled between the firewall engine and the memory providing a separate second path for the firewall engine to retrieve packets from the memory;
  
  where the firewall engine accesses the memory using the memory bus when the local bus is busy or the local bus when the memory bus is busy.

17. A gateway for screening packets comprising:
- a first portion of rules stored on an ASIC in an internal rule memory directly accessible by the firewall engine and representing a first portion of the rule space, the rule space defining one or more control policies for filtering incoming and outgoing packets; and
  
  an expandable second portion of rules not stored on the ASIC, which enlarges the rule memory space providing additional rule memory to the gateway by storing the second portion of rules in an external memory, the expandable second portion of rules coupled by a bus to the firewall engine and accessible by the firewall engine to screen packets in accordance with the retrieved rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
NetScreen Technologies Inc. (Juniper Networks Incorporated)
Inventors
Luo, Dongping, Deng, Feng, Ke, Yan
Primary Examiner(s)
Barrón, Gilberto
Assistant Examiner(s)
Zand, Kambiz

Application Number

US09/283,730
Time in Patent Office

1,797 Days
Field of Search

713/201, 713/153
US Class Current

713/153
CPC Class Codes

H04L 49/90   Buffering arrangements

H04L 49/901   using storage descriptor, e...

H04L 49/9057   Arrangements for supporting...

H04L 63/02   for separating internal fro...

H04L 69/16   Implementation or adaptatio...

H04L 69/22   Parsing or analysis of headers

H04L 9/40   Network security protocols

Firewall including local bus

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall including local bus

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links