Method and apparatus for optimizing firewall processing
First Claim
1. In a firewall device having a plurality of communication interfaces, a packet filtering component coupled to each of the interfaces, a switching process component coupled to each of the interfaces, and a firewall services component coupled to the switching process component, a firewall system comprising:
- a) a session manager operating in said firewall services component, said session manager structured and configured to instantiate a plurality of sessions in said firewall services component and a plurality of mini-sessions in said switching process component, each of said plurality of sessions having header and payload information related to a corresponding data transfer within the firewall device, each of said plurality of mini-sessions corresponding to a session and including header information related the corresponding data transfer within the firewall device, wherein said plurality of mini-sessions comprises instantiated software modules residing in the same address space as said switching process component; and
b) a firewall module operating in said switching process coupled to said plurality of mini-sessions, said firewall module configured to intercept data packets received into the interfaces, said firewall module further configured to track session context of said data packets.
3 Assignments
0 Petitions
Accused Products
Abstract
A firewall system and method which optimizes the performance of the firewall process by reducing overhead associated with ACL verification and firewall application-level authorization. The firewall system comprises a session manager operating in the firewall services component and a firewall module operating in the switching process component. In one embodiment, the firewall module is configured to provide certain “non-application” level inspection of data packets and update the context of “sessions” associated with the data packets without sending the packets to the firewall services component using session information provided by the session manager.
-
Citations
25 Claims
-
1. In a firewall device having a plurality of communication interfaces, a packet filtering component coupled to each of the interfaces, a switching process component coupled to each of the interfaces, and a firewall services component coupled to the switching process component, a firewall system comprising:
-
a) a session manager operating in said firewall services component, said session manager structured and configured to instantiate a plurality of sessions in said firewall services component and a plurality of mini-sessions in said switching process component, each of said plurality of sessions having header and payload information related to a corresponding data transfer within the firewall device, each of said plurality of mini-sessions corresponding to a session and including header information related the corresponding data transfer within the firewall device, wherein said plurality of mini-sessions comprises instantiated software modules residing in the same address space as said switching process component; and
b) a firewall module operating in said switching process coupled to said plurality of mini-sessions, said firewall module configured to intercept data packets received into the interfaces, said firewall module further configured to track session context of said data packets. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. In a firewall device having a plurality of communication interfaces, a packet filtering component coupled to each of the interfaces, a switching process component coupled to each of the interfaces, and a firewall services component coupled to the switching process component, a method for optimizing firewall processing comprising:
-
a) providing a session manager in the firewall services component;
b) providing a firewall module in the switching process component;
c) instantiating a session, by said session manager, for data transfers within the firewall device, said sessions having header and payload information related to data transfers within the firewall device; and
d) instantiating a mini-session, by said session manager, corresponding to said instantiated session, said mini-session having header information related to data transfers within the firewall device, wherein said mini-session comprises instantiated software modules residing in the same address space as said switching process component. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for optimizing firewall processing in a firewall device having a plurality of communication interfaces, a packet filtering component coupled to each of the interfaces, a switching process component coupled to each of the interfaces, and a firewall services component coupled to the switching process component, said method comprising:
-
a) providing a session manager in the firewall services component;
b) providing a firewall module in the switching component;
c) instantiating a session, by said session manager, for data transfers within the firewall device, said sessions having header and payload information related to data transfers within the firewall device; and
d) instantiating a mini-session, by said session manager, corresponding to said instantiated session, said mini-session having header information related to data transfers within the firewall device, wherein said mini-session comprises instantiated software modules residing in the same address space as said switching process component. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
Specification