High availability network security systems

US 7,197,660 B1
Filed: 06/26/2002
Issued: 03/27/2007
Est. Priority Date: 06/26/2002
Status: Active Grant

First Claim

Patent Images

1. A recovery method for a network security system, the method comprising:

providing a master device and a backup device within a cluster of network security devices;

providing the backup device with state information for the master device, the state information relating to an ongoing set of connections through the master device and the state information including session information and keying material associated with secure remote connections;

communicating control messages relating to a failure state of the master device and the backup device over an out-of-band connection and, when the out-of-band connection fails, communicating the control messages over an in-band connection;

detecting failure in the cluster based on the control messages; and

using the state information to recover from the failure by recovering the ongoing set of connections at the backup device,wherein the master device and the backup device are configured to simultaneously act as a backup device and a master device, respectively, for an additional set of ongoing connections.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for a network security system are provided. The method includes providing a master device and a backup device within a cluster of network security devices, providing the backup device with state information for the master device, detecting failure in the cluster and using the state information to recover from the failure.

125 Citations

16 Claims

1. A recovery method for a network security system, the method comprising:
- providing a master device and a backup device within a cluster of network security devices;
  
  providing the backup device with state information for the master device, the state information relating to an ongoing set of connections through the master device and the state information including session information and keying material associated with secure remote connections;
  
  communicating control messages relating to a failure state of the master device and the backup device over an out-of-band connection and, when the out-of-band connection fails, communicating the control messages over an in-band connection;
  
  detecting failure in the cluster based on the control messages; and
  
  using the state information to recover from the failure by recovering the ongoing set of connections at the backup device,wherein the master device and the backup device are configured to simultaneously act as a backup device and a master device, respectively, for an additional set of ongoing connections.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein detecting failure in the cluster comprises monitoring paths within the cluster.
  - 3. The method of claim 1 wherein the master device and the backup device are elected in advance of the failure.
  - 4. The method of claim 1, wherein the state information relates to an ongoing file transfer protocol (ftp) connection.
  - 5. The method of claim 1, wherein the state information relates to an ongoing virtual private network (VPN) connection.

6. A network security device comprising:
- ports for communicating on a network; and
  
  a controller configured tooperate as a master device for a first set of connections, including transmitting state information for the first set of connections to one or more backup devices, the state information including session information and keying material associated with secure remote communications;
  
  communicate control messages relating to a failure state of the master device and the one or more backup devices over an out-of-band connection and, when the out-of-band connection fails, communicate the control messages over an in-band connection; and
  
  simultaneously operate as a backup device for a second set of connections, including receiving state information from a master device associated with the second set of connections, detecting failure of the associated master device, and using state information received from the associated master device to recover from the failure.
- View Dependent Claims (7, 8, 9)
- - 7. The network security device of claim 6 wherein the ports for communicating on the network include redundant network ports.
  - 8. The network security device of claim 6, wherein the state information relates to an ongoing file transfer protocol (ftp) connection.
  - 9. The network security device of claim 6, wherein the state information relates to an ongoing virtual private network (VPN) connection.

10. A network security system comprising:
- a master device configured to support a first group of connections including maintaining state information that relates to ongoing connections through the master device, the state information including session information and keying material associated with secure remote connections with the master device; and
  
  a backup device configured to receive the state information from the master device relating to the first group of connections, to detect a failure of the master device, and to use the state information to recover from the failure by recovering the ongoing first group of connections, the backup device recovering the state information and detecting the failure of the master device using control messages communicated via out-of-band connections and, when the out-of-band connections fail, communicating the control messages over an in-band connection,wherein the master device and the backup device are configured to simultaneously act as a backup device and a master device, respectively, for additional groups of ongoing connections.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10 wherein the master device and the backup device each contain control information necessary to support the connections.
  - 12. The system of claim 10 wherein the master device and the backup device include a messaging engine for communicating the control messages.
  - 13. The system of claim 12 where the messaging engine includes redundant messaging interfaces for transmitting and receiving the control messages in the out-of-band connection.
  - 14. The network security system of claim 10, wherein the state information relates to an ongoing file transfer protocol (ftp) connection.
  - 15. The network security system of claim 10, wherein the state information relates to an ongoing virtual private network (VPN) connection.

16. A method for increasing throughput of network security devices, the method comprising:
- providing a network device connected to a plurality of network devices divided into a first and a second group; and
  
  configuring the network device to support connections within the first group and backup connections within the second group, the backup connections being provided for by receiving control messages that include state information from another network device, the state information relating to ongoing connections in the second group and using the state information to recover from a failure in the another network device without breaking the ongoing connections in the second group, the control messages being communicated over an out-of-band connection, and, when the out-of-band connection fails, the control messages being communicated over an in-band-connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Lebovitz, Gregory M., Ke, Yan, Liu, Changming, Chen, Lin, Yang, Xiaosong
Primary Examiner(s)
Bonzo; Bryce P.

Application Number

US10/186,239
Time in Patent Office

1,735 Days
Field of Search

714/4, 726/11
US Class Current

714/4.12
CPC Class Codes

G06F 11/2035   without idle spare hardware

G06F 11/2097   maintaining the standby con...

H04L 45/586   of virtual routers

H04L 63/0272   Virtual private networks

High availability network security systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

High availability network security systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links