Firewall clustering for multiple network servers
First Claim
1. A method of managing message traffic between an interior network and an exterior network in conjunction with a plurality of firewalls securing the interior network from intrusion from the exterior network, the method comprising:
- creating a firewall cluster containing a plurality of the firewalls, the firewall cluster being addressed by a logical Internet protocol (IP) address that is distinct from unique IP addresses of firewalls contained within the firewall cluster, and further being addressed by an associated media access control (MAC) address that is distinct from unique MAC addresses of the firewalls contained within the firewall cluster;
in response to a packet addressed to the logical IP address or the associated MAC address, a flow controller that is distinct from the firewalls contained in the firewall cluster selecting a firewall from among the firewalls contained in the firewall cluster on a basis of information in a header of the packet;
in response to the selecting, the flow controller addressing the packet to the MAC address of the selected firewall; and
in response to the addressing, the flow controller sending the packet to the selected firewall for transferring the packet between the interior network and the exterior network via the selected firewall.
18 Assignments
0 Petitions
Accused Products
Abstract
A firewall clustering system connects two or more firewalls between an internal network and an external network. The plurality of two or more firewalls are combined to supply high-availability and scaling of processing capacity. Firewalls maintain client-server state information. Flow controllers are connected to the firewalls and placed on both the internal “trusted” side and the external “untrusted” side of the firewalls. Flow controllers are placed on both sides of the firewalls to ensure that traffic for a given client-server session flows through the same firewall in both inbound and outbound directions. The firewalls perform filtering operations and/or network address translation (NAT) services. In both cases, the flow controllers supply high availability, scalability, and traffic distribution for the firewalls in the firewall cluster.
-
Citations
42 Claims
-
1. A method of managing message traffic between an interior network and an exterior network in conjunction with a plurality of firewalls securing the interior network from intrusion from the exterior network, the method comprising:
-
creating a firewall cluster containing a plurality of the firewalls, the firewall cluster being addressed by a logical Internet protocol (IP) address that is distinct from unique IP addresses of firewalls contained within the firewall cluster, and further being addressed by an associated media access control (MAC) address that is distinct from unique MAC addresses of the firewalls contained within the firewall cluster;
in response to a packet addressed to the logical IP address or the associated MAC address, a flow controller that is distinct from the firewalls contained in the firewall cluster selecting a firewall from among the firewalls contained in the firewall cluster on a basis of information in a header of the packet;
in response to the selecting, the flow controller addressing the packet to the MAC address of the selected firewall; and
in response to the addressing, the flow controller sending the packet to the selected firewall for transferring the packet between the interior network and the exterior network via the selected firewall. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 24)
-
-
12. A method of managing message traffic between an interior network and an exterior network in conjunction with a plurality of firewalls securing the interior network from intrusion from the exterior network, comprising:
-
creating an internal firewall cluster containing a plurality of the firewalls which are in the interior network, the internal firewall cluster being addressed by a first logical Internet Protocol (IP) address that is distinct from unique IP addresses of the firewalls contained within the internal firewall cluster, and further being addressed by a first associated media access control (MAC) address that is distinct from MAC addresses of the firewalls contained within the internal firewall cluster;
creating an external firewall cluster containing a plurality of the firewalls that are in the exterior network, the external firewall cluster being addressed by a second logical IP address that is distinct from unique IP addresses of the firewalls contained within the external firewall cluster, and further being addressed by a second associated MAC address that is distinct from MAC addresses of the firewalls contained within the external firewall cluster;
in response to a first packet outbound to the exterior network and addressed to the first logical IP address or the first associated MAC address, a first flow controller that is associated with the internal firewall cluster and that is distinct from the firewalls contained within the internal firewall cluster selecting a first firewall from among the internal firewall cluster on a basis of information in a header of the first packet;
in response to the selecting of the first firewall, the first flow controller addressing the first packet to the MAC address of the first firewall;
in response to the addressing of the first packet, the first flow controller sending the first packet to the first firewall for transferring the first packet from the interior network via the first firewall;
in response to a second packet inbound to the interior network and addressed to the second logical IP address or the second associated MAC address, a second flow controller that is associated with the external firewall cluster and that is distinct from the firewalls contained within the external firewall cluster selecting a second firewall from among the external firewall cluster on a basis of information in a header of the second packet;
in response to selecting of the second firewall, the second flow controller addressing the second packet to the MAC address of the second firewall; and
in response to the addressing of the second packet, the second flow controller sending the second packet to the second firewall for transferring the second packet from the exterior network via the second firewall. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
25. An apparatus for managing message traffic between an interior network and an exterior network in conjunction with a plurality of firewalls securing the interior network from intrusion from the exterior network, comprising:
a flow controller defining a firewall cluster containing a plurality of the firewalls, the firewall cluster being addressed by a logical Internet Protocol (IP) address that is distinct from unique IP addresses of firewalls contained within the firewall cluster, and further being addressed by an associated media access control (MAC) address that is distinct from unique MAC addresses of the firewalls contained within the firewall cluster, the flow controller being distinct from the firewalls contained within the firewall cluster and being responsive to a packet addressed to the logical IP address or to the associated MAC address by selecting a firewall from among the firewalls contained in the firewall cluster on a basis of information in a header of the packet, addressing the packet to the MAC address of the selected firewall, and sending the packet to the selected firewall for transfer of the packet by the selected firewall between the interior network and the exterior network. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
36. An apparatus for managing message traffic between an interior network and an exterior network in conjunction with a plurality of firewalls securing the interior network from intrusion from the exterior network, comprising:
-
a first flow controller defining an internal firewall cluster containing a plurality of the firewalls which are in the interior network, the internal firewall cluster being addressed by a first logical Internet Protocol (IP) address that is distinct from unique IP addresses of the firewalls contained within the internal firewall cluster, and further being addressed by a first associated media access control (MAC) address that is distinct from unique MAC addresses of the firewalls contained within the internal firewall cluster, the first flow controller being associated with the internal firewall cluster, being distinct from the firewalls contained within the internal firewall cluster, and being responsive to a first packet outbound to the exterior network and addressed to the first logical IP address or the first associated MAC address by selecting a first firewall from among the internal firewall cluster on a basis of information in a header of the first packet, addressing the first packet to the MAC address of the first firewall, and sending the first packet to the first firewall for transfer of the packet by the first firewall between the interior network and the exterior network; and
a second flow controller defining an external firewall cluster containing a plurality of the firewalls which are in the exterior network, the external firewall cluster being addressed by a second logical IP address that is distinct from unique IP addresses of the firewalls contained within the external firewall cluster, and further being addressed by a second associated MAC address that is distinct from MAC addresses of the firewalls contained within the external firewall cluster, the second flow controller being associated with the external firewall cluster, being distinct from the firewalls contained within the external firewall cluster, and being responsive to a second packet inbound to the interior network and addressed to the second logical IP address or the second associated MAC address by selecting a second firewall from among the external firewall cluster on a basis of information in a header of the second packet, addressing the second packet to the MAC address of the second firewall, and sending the second packet to the second firewall for transfer of the packet by the second firewall between the exterior network and the interior network. - View Dependent Claims (37, 38, 39, 40, 41, 42)
-
Specification