Hardware based security groups, firewall load sharing, and firewall redundancy

US 6,901,517 B1
Filed: 07/16/1999
Issued: 05/31/2005
Est. Priority Date: 07/16/1999
Status: Expired due to Term

First Claim

Patent Images

1. A secure telecommunications system comprising:

an external network on which traffic travels;

a switch connected to the external network;

an internal network connected to the switch;

a first inspection engine connected to the switch and not in line with the internal network and the external network, which receives traffic from the switch, processes the traffic to determine whether it is desired traffic or undesired traffic, which prevents undesired traffic from passing through it and which sends desired traffic back to the switch;

a second inspection engine connected to the switch and not in line with the internal network and the external network, which receives traffic from the switch, processes the traffic to determine whether it is desired traffic or undesired traffic, which prevents undesired traffic from passing through it and which sends desired traffic back to the switch;

a first destination connected to the switch through the internal network which receives desired traffic from the switch that has been processed by the first inspection engine; and

a second destination connected to the switch through the internal network which receives desired traffic from the switch that has been processed by the second inspection engine.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure telecommunications system includes an external network and an internal network on which traffic travels. The system includes a switch connected to the network. The system includes a first inspection engine and a second inspection engine which are connected to the switch, which receive traffic from the switch, process the traffic to determine whether it is desired traffic or undesired traffic, which prevent undesired traffic from passing through it and which sends desired traffic back to the switch. The system includes a first destination connected to the switch which receives desired traffic from the switch that has been processed by the first inspection engine. The system includes a second destination connected to the switch which receives desired traffic from the switch that has been processed by the second inspection engine. A method for sending traffic over a secure telecommunications system.

123 Citations

20 Claims

1. A secure telecommunications system comprising:
- an external network on which traffic travels;
  
  a switch connected to the external network;
  
  an internal network connected to the switch;
  
  a first inspection engine connected to the switch and not in line with the internal network and the external network, which receives traffic from the switch, processes the traffic to determine whether it is desired traffic or undesired traffic, which prevents undesired traffic from passing through it and which sends desired traffic back to the switch;
  
  a second inspection engine connected to the switch and not in line with the internal network and the external network, which receives traffic from the switch, processes the traffic to determine whether it is desired traffic or undesired traffic, which prevents undesired traffic from passing through it and which sends desired traffic back to the switch;
  
  a first destination connected to the switch through the internal network which receives desired traffic from the switch that has been processed by the first inspection engine; and
  
  a second destination connected to the switch through the internal network which receives desired traffic from the switch that has been processed by the second inspection engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A system as described in claim 1 wherein the first inspection engine includes a first firewall processing engine and the second inspection engine includes a second firewall processing engine.
  - 3. A system as described in claim 2 wherein the switch has a first port and a second port connected to the external network which receives traffic from the external network, said switch directing traffic received at the first port to the first firewall processing engine and directing traffic received at the second port to the second firewall processing engine.
  - 4. A system as described in claim 3 including N additional firewall processing engines connected to the switch besides the first firewall processing engine and the second firewall processing engine so there are a total of N+2 firewall processing engines, where N is greater than or equal to 1 and is an integer.
  - 5. A system as described in claim 4 wherein the switch has N additional ports besides the first port and the second port, wherein each port is connected to a corresponding firewall processing engine.
  - 6. A system as described in claim 5 wherein the switch is configured into security groups with at least one of the N+2 firewall processing engines serving each security group.
  - 7. A system as described in claim 6 wherein the switch load-shares traffic for each security group across corresponding firewall processing engines serving the corresponding security group.
  - 8. A system as described in claim 7 wherein the switch rebalances traffic for a security group when one of the firewall processing engines serving the security group fails across the other firewall processing engines serving the security group.
  - 9. A system as described in claim 8 wherein the switch is scalable to allow for adding firewall processing engines.
  - 10. A system as described in claim 9 wherein the traffic includes bits and wherein the firewall processing engines serving a first security group of the security groups encrypt greater than 1 Gbps of traffic.
  - 11. A system as described in claim 10 wherein the external network includes the Internet, and the first destination includes a first web server and the second destination includes a second web server.
  - 12. A system as described in claim 11 wherein the Internet includes a LAN.

13. A method for sending traffic over a secure telecommunications system comprising the steps of:
- receiving traffic from an external network at a switch connected to the external network and an internal network;
  
  directing traffic to a first inspection engine connected to the switch and not in line with the internal network or the external network, and to a second inspection engine connected to the switch and not in line with the internal network or the external network;
  
  receiving traffic at the first inspection engine;
  
  processing traffic received at the first inspection engine to determine whether it is desired traffic or undesired traffic;
  
  sending the desired traffic back to the switch from the first inspection engine and discarding undesired traffic from the first inspection engine;
  
  transferring desired traffic received by the switch from the first inspection engine to a first destination through the internal network;
  
  processing traffic received at the second inspection engine to determine whether it is desired traffic or undesired traffic;
  
  sending the desired traffic back to the switch from the second inspection engine and discarding undesired traffic from the second inspection engine; and
  
  transferring desired traffic received by the switch from the second inspection engine to a second destination through the internal network.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. A method as described in claim 13 wherein the first and second inspection engines include a first firewall processing engine and a second firewall processing engine, respectively, and wherein the directing traffic step includes the step of directing traffic to the first firewall processing engine and second firewall processing engine and to a third firewall processing engine and a forth firewall processing engine.
  - 15. A method as described in claim 14 wherein the switch is configured into a first security group and a second security group, and the receiving step includes the step of receiving traffic at the first security group.
  - 16. A method as described in claim 15 wherein the directing step includes the step of directing the traffic from the first security group of the switch to the first, third and fourth firewall processing engines which serve the first security group of the switch, and directing traffic to the second firewall processing engine serving the second security group of the switch.
  - 17. A method as described in claim 16 wherein the receiving step includes the step of receiving traffic from the first security group at a first port of the switch and receiving traffic for the second security group at a second port of the switch.
  - 18. A method as described in claim 17 wherein the directing the traffic from the first security group includes the step of load-sharing by the switch the traffic received by the first security group between the first, third and fourth firewall processing engines.
  - 19. A method as described in claim 18 wherein the directing the traffic from the first security group includes the step of rebalancing traffic from the first security group to the third and fourth firewall processing engines when the first firewall processing engine fails.
  - 20. A method as described in claim 19 wherein after the step of transferring traffic to the first destination, there is the step of connecting a fifth firewall processing engine to the switch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Original Assignee
Marconi Communications, Inc. (Marconi Holdings Company Limited)
Inventors
Redmore, Seth
Primary Examiner(s)
Wright, Norman M.

Application Number

US09/356,086
Time in Patent Office

2,146 Days
Field of Search

713/200, 713/201, 713/202, 717/101, 370/252, 709/227, 709/244, 709/245
US Class Current

726/11
CPC Class Codes

H04L 49/351   for local area network [LAN...

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

Hardware based security groups, firewall load sharing, and firewall redundancy

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

123 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware based security groups, firewall load sharing, and firewall redundancy

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links