High availability network security systems
First Claim
Patent Images
1. A recovery method for a network security system, the method comprising:
- providing a master device and a backup device within a cluster of network security devices;
providing the backup device with state information for the master device, the state information relating to an ongoing set of connections through the master device and the state information including session information and keying material associated with secure remote connections;
communicating control messages relating to a failure state of the master device and the backup device over an out-of-band connection and, when the out-of-band connection fails, communicating the control messages over an in-band connection;
detecting failure in the cluster based on the control messages; and
using the state information to recover from the failure by recovering the ongoing set of connections at the backup device,wherein the master device and the backup device are configured to simultaneously act as a backup device and a master device, respectively, for an additional set of ongoing connections.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for a network security system are provided. The method includes providing a master device and a backup device within a cluster of network security devices, providing the backup device with state information for the master device, detecting failure in the cluster and using the state information to recover from the failure.
125 Citations
16 Claims
-
1. A recovery method for a network security system, the method comprising:
-
providing a master device and a backup device within a cluster of network security devices; providing the backup device with state information for the master device, the state information relating to an ongoing set of connections through the master device and the state information including session information and keying material associated with secure remote connections; communicating control messages relating to a failure state of the master device and the backup device over an out-of-band connection and, when the out-of-band connection fails, communicating the control messages over an in-band connection; detecting failure in the cluster based on the control messages; and using the state information to recover from the failure by recovering the ongoing set of connections at the backup device, wherein the master device and the backup device are configured to simultaneously act as a backup device and a master device, respectively, for an additional set of ongoing connections. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A network security device comprising:
-
ports for communicating on a network; and a controller configured to operate as a master device for a first set of connections, including transmitting state information for the first set of connections to one or more backup devices, the state information including session information and keying material associated with secure remote communications; communicate control messages relating to a failure state of the master device and the one or more backup devices over an out-of-band connection and, when the out-of-band connection fails, communicate the control messages over an in-band connection; and simultaneously operate as a backup device for a second set of connections, including receiving state information from a master device associated with the second set of connections, detecting failure of the associated master device, and using state information received from the associated master device to recover from the failure. - View Dependent Claims (7, 8, 9)
-
-
10. A network security system comprising:
-
a master device configured to support a first group of connections including maintaining state information that relates to ongoing connections through the master device, the state information including session information and keying material associated with secure remote connections with the master device; and a backup device configured to receive the state information from the master device relating to the first group of connections, to detect a failure of the master device, and to use the state information to recover from the failure by recovering the ongoing first group of connections, the backup device recovering the state information and detecting the failure of the master device using control messages communicated via out-of-band connections and, when the out-of-band connections fail, communicating the control messages over an in-band connection, wherein the master device and the backup device are configured to simultaneously act as a backup device and a master device, respectively, for additional groups of ongoing connections. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method for increasing throughput of network security devices, the method comprising:
-
providing a network device connected to a plurality of network devices divided into a first and a second group; and configuring the network device to support connections within the first group and backup connections within the second group, the backup connections being provided for by receiving control messages that include state information from another network device, the state information relating to ongoing connections in the second group and using the state information to recover from a failure in the another network device without breaking the ongoing connections in the second group, the control messages being communicated over an out-of-band connection, and, when the out-of-band connection fails, the control messages being communicated over an in-band-connection.
-
Specification