Firewall pooling in a network flowswitch

US 7,055,173 B1
Filed: 04/01/2000
Issued: 05/30/2006
Est. Priority Date: 12/19/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for providing firewall fault-tolerance in a network, the network including a plurality of firewalls, at least one server and at least one network flowswitch, the method comprising:

detecting in the network flowswitch an occurrence of a failed firewall of the plurality of firewalls each having a different fixed media access control (MAC) address;

detecting in the network flowswitch a packet from the server directed to the failed firewall after the occurrence of a failed firewall is detected;

changing a MAC address of the packet to the fixed MAC address of a functional firewall of the plurality of firewalls when the packet is detected; and

relaying the packet to the functional firewall after the MAC address of the packet is changed.

View all claims

19 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall fault-tolerant network interface system includes a switch circuit configured to detect when a firewall fails in a multi-firewall local network. When a failed firewall is detected, the switch circuit waits for a time-out period to expire to allow convergence. The switch circuit then intervenes when traffic from a server to the failed firewall is detected. The switch circuit translates the MAC address of the failed firewall to the MAC address of a functional firewall. Traffic from a server originally directed to the failed firewall is then redirected to a functional firewall. In a further refinement, the switch circuit provides the MAC address of a functional firewall in response to an ARP request from a server to the failed firewall. Thus, traffic from this server will be directed to the functional firewall without further intervention, reducing the overhead of the switch circuit. In still a further refinement, if the failed firewall recovers, the switch circuit waits for a time-out period to expire to allow convergence of external firewalls and to allow the recovered firewall to learn routes to known clients. The switch circuit then ceases all intervention for the MAC address of the now-recovered firewall.

295 Citations

62 Claims

1. A method for providing firewall fault-tolerance in a network, the network including a plurality of firewalls, at least one server and at least one network flowswitch, the method comprising:
- detecting in the network flowswitch an occurrence of a failed firewall of the plurality of firewalls each having a different fixed media access control (MAC) address;
  
  detecting in the network flowswitch a packet from the server directed to the failed firewall after the occurrence of a failed firewall is detected;
  
  changing a MAC address of the packet to the fixed MAC address of a functional firewall of the plurality of firewalls when the packet is detected; and
  
  relaying the packet to the functional firewall after the MAC address of the packet is changed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the network comprises a plurality of servers.
  - 3. The method of claim 2 wherein relaying the packet to the functional firewall comprises relaying the packet to the functional firewall over a medium that is not shred with packets directed to other firewalls or servers.
  - 4. The method of claim 1 wherein said detecting an occurrence of a failed firewall comprises sending a request to the plurality of firewalls, wherein an absence of a response from a particular firewall of the plurality of firewalls is indicative of a failure of the particular firewall.
  - 5. The method of claim 1 wherein said detecting an occurrence of a failed firewall comprises sending at least one Address Resolution Protocol (ARP) request to each firewall of the plurality of firewalls, wherein an absence of a reply to an ARP request from a particular firewall of the plurality of firewalls is indicative of a failure of the particular firewall.
  - 6. The method of claim 1 further comprising:
    - detecting an address resolution protocol (ARP) request from the server to the failed firewall; and
      
      responding to the ARP request with the fixed MAC address of the functional firewall, whereby the server is configured to send subsequent outbound packets with the fixed MAC address of the functional firewall.
  - 7. The method of claim 1 wherein said detecting an occurrence of a failed firewall comprises sending ICMP echo packets to each firewall of the plurality of firewalls and wherein an absence of a response from a particular firewall of the plurality of firewalls during a predetermined interval is indicative of a failure of the particular firewall.
  - 8. The method of claim 1 further comprising:
    - detecting a recovery of the failed firewall, the failed firewall becoming a recovered firewall; and
      
      terminating said detecting a packet from the server directed to the failed firewall when said failed firewall recovers.
  - 9. The method of claim 8 further comprising waiting for a time-out period to expire after said detecting when the failed firewall recovers.
  - 10. The method of claim 9 wherein the time-out period is greater than or equal to a time period needed for the recovered firewall to learn routes to all known clients.
  - 11. The method of claim 8 wherein said detecting a recovery of the failed firewall comprises sending to the failed firewall a request, and a response from the failed firewall is indicative of a recovery of the failed firewall.
  - 12. The method of claim 8 wherein said detecting a recovery of the failed firewall comprises detecting a packet from the failed firewall in response to a request.
  - 13. The method of claim 8 wherein said detecting a recovery of the failed firewall comprising sending ARP requests to each firewall of the plurality of firewalls, wherein an occurrence of a reply to an ARP request from the failed firewall is indicative of a recovery of the failed firewall.
  - 14. The method of claim 1 wherein packets are transferred between the server and a firewall of the plurality of firewalls through a switch circuit.
  - 15. The method of claim 14 wherein the switch circuit comprises a switched Ethernet circuit.

16. An apparatus for providing firewall fault-tolerance in a network, the network including a plurality of firewalls, at least one server and at least one network flowswitch, the apparatus comprising:
- means for detecting an occurrence of a failed firewall in the plurality of firewalls each having a difference fixed media access control (MAC) address;
  
  means for detecting a packet from the server directed to the failed firewall after the failed firewall is detected;
  
  means for changing a MAC address of the packet to the fixed MAC address of a functional firewall of the plurality of firewalls when the packet is detected; and
  
  means for relaying the packet to the functional firewall after the MAC address of the packet is changed.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The apparatus of claim 16 further comprising:
    - means for detecting an address resolution protocol (ARP) request from the server to the failed firewall; and
      
      means for responding to the ARP request with the fixed MAC address of the functional firewall, wherein the server sends subsequent outbound packets with the fixed MAC address of the functional firewall.
  - 18. The apparatus of claim 16 wherein said means for detecting a failed firewall comprises means for transmitting a request to the plurality of firewalls, wherein an absence of a reply from a particular firewall of the plurality of firewalls is indicative of a failure of the particular firewall.
  - 19. The apparatus of claim 16 wherein said means for detecting a failed firewall comprises means for sending ARP requests to each firewall of the plurality of firewalls, wherein an absence of a reply to an ARP request from a particular firewall of the plurality of firewalls is indicative of a failure of the particular firewall.
  - 20. The apparatus of claim 16 further comprising:
    - means for detecting a recovery of the failed firewall, the failed firewall becoming a recovered firewall; and
      
      means for disabling said means for detecting a packet from the server directed to the failed firewall when said failed firewall recovers.
  - 21. The apparatus of claim 20 wherein said means for detecting a recovery of the failed firewall comprises means for transmitting a request to the plurality of firewalls, wherein a response from the failed firewall is indicative of recovery of the failed firewall.
  - 22. The apparatus of claim 16 wherein said means for detecting a recovery of the failed firewall comprises means for sending ARP requests to each firewall of the plurality of firewalls, wherein an occurrence of a replay to an ARP request from the failed firewall is indicative of a recovery of the failed firewall.

23. A network having firewall fault-tolerance, the network configured to be coupled to a network backbone, the network comprising:
- a switch circuit;
  
  a first firewall coupled to said switch circuit and the network backbone, said first firewall having a fixed media access control (MAC) address;
  
  a second firewall coupled to said switch circuit and the network backbone, said second firewall having a fixed MAC address different from the fixed MAC address of the first firewall; and
  
  a server coupled to the switch circuit,wherein the switch circuit is configured to detect when the first firewall fails, the switch circuit being further configured to monitor packets sent by the server to the first firewall and to change in the packet the fixed MAC address of failed said first firewall to the fixed MAC address of functional said second firewall and relay the packet to the functional second firewall after changing the fixed MAC address of the first firewall to the fixed MAC address of the second firewall.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 24. The network of claim 23 further comprising a plurality of servers, the plurality of servers including the server.
  - 25. The network of claim 23 wherein the switch circuit is configured to detect a failed firewall by transmitting a request to the first and second firewalls, wherein an absence of a reply from a particular firewall of the first and second firewalls is indicative of a failure of the particular firewall.
  - 26. The network of claim 23 wherein the switch circuit is configured to detect a failed firewall by sending ARP requests to the first and second firewalls, wherein an absence of a replay to an ARP request from a particular firewall of the first and second of firewalls is indicative of a failure of the particular firewall.
  - 27. The network of claim 23 wherein the switch circuit is configured to detect a failed firewall by sending ICMP echo requests to the first and second firewalls, wherein an absence of a reply to an ICMP echo request from a particular firewall of the first and second of firewalls is indicative of a failure of the particular firewall.
  - 28. The network of claim 23 wherein the switch circuit is configured to detect a failed firewall by monitoring responses from the firewalls to requests sent at predetermined intervals.
  - 29. The network of claim 23 wherein the switch circuit is further configured to:
    - detect an address resolution protocol (ARP) request from the server to the first firewall; and
      
      respond to the ARP request with the fixed MAC address of the second firewall, whereby the server sends subsequent outbound packets with the fixed MAC address of the second firewall.
  - 30. The network of claim 23 wherein the switch circuit is further configured to:
    - detect when the first firewall recovers; and
      
      terminate monitoring for packets sent by the server to the first firewall after the first firewall recovers.
  - 31. The network of claim 30 wherein the switch circuit is further configured to wait for a time-out period to expire after detecting when the first firewall recovers.
  - 32. The network of claim 31 wherein the time-out period is greater than or equal to a time period needed for the recovered first firewall to learn routes to all known clients.
  - 33. The network of claim 30 wherein the switch circuit is configured to detect a recovery of the failed firewall by transmitting a request to the first and second firewalls, wherein receipt of a response from the failed firewall is indicative of a recovery of the failed firewall.
  - 34. The network of claim 30 wherein the switch circuit is configured to detect a recovery of the failed firewall by sending ARP requests to the first and second firewalls, wherein an occurrence of a reply to an ARP request from the failed firewall is indicative of a recovery of the failed firewall.
  - 35. The network of claim 30 wherein the switch circuit is configured to detect a recovery of the failed firewall by sending ICMP echo requests to the first and second firewalls, wherein an occurrence of a reply to an ICMP echo request from the failed firewall is indicative of a recovery of the failed firewall.
  - 36. The network of claim 35 wherein the switch circuit is configured to provide full-duplex communication between the first firewall and the server.
  - 37. The network of claim 35 wherein the switch circuit comprises a switched Ethernet circuit.
  - 38. The network of claim 23 wherein packets are transferred between the server and the first firewall through the switch circuit, and between the server and the second firewall through the switch circuit.

39. A method for providing fault-tolerance in a network, the network including a plurality of firewalls each having a different fixed media access control (MAC) address, the method comprising:
- generating a request message on a first side of a first firewall in the plurality of firewalls;
  
  sending the request message through the first firewall to a second side of the first firewall; and
  
  processing an absence of a reply from the second side to the request message as a failure of the first firewall, includingchanging, in a detected packet, the fixed MAC address of failed said first firewall to the fixed MAC address of a functional second firewall of the plurality of firewalls,and relaying the packet to the functional second firewall after changing the MAC address in the packet.
- View Dependent Claims (40, 41, 42, 43, 44, 45)
- - 40. The method of claim 39 further comprising:
    - maintaining in a first memory on said first side a first functional status for each firewall;
      
      maintaining in a second memory on said second side a second functional status for each firewall; and
      
      wherein said first functional status is identical to said second functional status.
  - 41. The method of claim 40 further comprising:
    - maintaining session information in a firewall for each session between computers separated by the firewall.
  - 42. The method of claim 39 further comprising:
    - sending the request message through the first firewall to a third side of the first firewall; and
      
      processing an absence of a reply from the third side to the request message as a failure of the first firewall.
  - 43. The method of claim 39 wherein:
    - the generating, sending and processing are performed in a switch circuit.
  - 44. The method of claim 39 further comprising:
    - performing Network Address Translation (NAT) in the first firewall; and
      
      adding a rule in the first firewall to maintain unchanged an internet protocol (IP) address of a source of the request message.
  - 45. The method of claim 39 further comprising:
    - receiving a request on a port; and
      
      sending a reply on said port.

46. A network having fault-tolerance, the network comprising:
- a first switch circuit;
  
  a second switch circuit; and
  
  a plurality of firewalls each having a different fixed media access control (MAC) address, the plurality of firewalls being coupled to each of the first switch circuit and the second switch circuit, each firewall being coupled to the first switch circuit by a first medium that is not shared with another firewall in the plurality of firewalls and each firewall being coupled to the second switch circuit by a second medium that is not shared with another firewall in the plurality of firewalls;
  
  whereina switch circuit of the first and the second switch circuits responds to a first firewall of the plurality of firewalls being functional by sending a first packet that has the fixed MAC address of the first firewall and is received by said switch circuit to the first firewall, and responds to a failure of the first firewall by replacing in a second packet received by said switch circuit the fixed MAC address of the first firewall with the fixed MAC address of a functional second firewall of the plurality of firewalls and sending the second packet with the replaced MAC address to the second firewall.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 47. The network of claim 46 further comprising:
    - a plurality of first computers, each first computer being coupled to the first switch circuit, each first computer being configured with the media access control (MAC) address of the first firewall, the first firewall being a default gateway for transferring packets outside the network.
  - 48. The network of claim 47 further comprising:
    - a plurality of second computers, each second computer being coupled to the second switch circuit, each second computer being configured with the MAC address of the first firewall, the first firewall being a default gateway for transferring packets inside the network.
  - 49. The network of claim 46 further comprising:
    - a plurality of routers coupled to the second switch circuit.
  - 50. The network of claim 46 wherein each of the first switch circuit and the second switch circuit comprises:
    - a first storage element encoded with a list of the plurality of firewalls; and
      
      a second storage element encoded with an identity of a firewall in the plurality as a replacement firewall for any other firewall in the plurality that has failed.
  - 51. The network of claim 46 wherein:
    - each of the first switch circuit and the second switch circuit is configured to send a request message to the other of the first switch circuit and the second switch circuit; and
      
      each of the first switch circuit and the second switch circuit is configured to treat absence of a response to the request message as a failure of a firewall through which the request message was sent.
  - 52. The network of claim 51 wherein:
    - the request message conforms to an internet protocol selected from the group consisting of;
      
      (a) ping;
      
      (b) address resolution protocol (ARP); and
      
      (c) internet message control protocol (ICMP).
  - 53. The network of claim 46 wherein:
    - the first switch circuit transfers a plurality of packets to the first firewall through a first medium without changing any portion of any packet in the plurality of packets while the first firewall is functional.
  - 54. The network of claim 46 wherein:
    - the switch circuit replaces in each received packet the fixed MAC address of the first firewall with the MAC address of the second firewall and transfers each modified packet to the second firewall only while the first firewall is nonfunctional.
  - 55. The network of claim 46 wherein each switch circuit comprises a switched Ethernet circuit.

56. The method of providing fault-tolerance in a network, the network including a plurality of firewalls each having a different fixed media access control (MAC) address, the method comprising:
- detecting a failure of a first firewall in the plurality of firewalls;
  
  changing, in a packet, the fixed MAC address of failed said first firewall to the fixed MAC address of a functional second firewall of the plurality of firewalls in response to the failure; and
  
  relaying the packet to the functional second firewall after changing the MAC address in the packet.
- View Dependent Claims (57, 58, 59, 60, 61, 62)
- - 57. The method of claim 56 wherein:
    - the detecting is performed in a switch circuit.
  - 58. The method of claim 56 further comprising:
    - receiving the packet after detecting the failure and prior to the replacing.
  - 59. The method of claim 56 further comprising:
    - transferring a plurality of packets other than the packet, between a host and a firewall in the plurality of firewalls through a switch circuit.
  - 60. The method of claim 59 wherein:
    - each of the packets contains a first internet protocol (IP address; and
      
      the method does not change the first IP address during transferring of the packets to any of the firewalls.
  - 61. The method of claim 60 wherein:
    - each of the firewalls has a first side and a second side; and
      
      each of the firewalls has the first IP address on the first side and a second IP address on the second side.
  - 62. The method of claim 60 wherein:
    - the method does not change the MAC address of any of the packets during the transferring, until the detecting of failure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Avaya Technology Corporation Miami Lakes FLA US
Inventors
Chaganty, Srinivas, Bommareddy, Sathish, Kale, Makarand
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
TRUVAN, LEYNNA THANH

Application Number

US09/540,238
Time in Patent Office

2,250 Days
Field of Search

713/200, 713/201, 713/202, 714/2, 714/3, 714/10, 709/104, 709/200, 709/201, 709/202, 709/203, 709/220, 709/219, 709/223, 709/225, 709/226
US Class Current

726/11
CPC Class Codes

H04L 41/0654   using network fault recover...

H04L 41/0681   Configuration of triggering...

H04L 45/22   Alternate routing

H04L 45/28   using route fault recovery

H04L 45/58   Association of routers

H04L 63/0218   Distributed architectures, ...

Firewall pooling in a network flowswitch

First Claim

19 Assignments

0 Petitions

Accused Products

Abstract

295 Citations

62 Claims

Specification

Use Cases

Quick Links

Others

Firewall pooling in a network flowswitch

First Claim

19 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

295 Citations

62 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others