Firewall including local bus

US 7,363,653 B2
Filed: 01/26/2004
Issued: 04/22/2008
Est. Priority Date: 04/01/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A network device comprising:

an interface to receive a plurality of packets from a network;

a first memory to store the packets;

a controller to coordinate transfer of the packets to and from the memory;

a packet processor to perform a plurality of processing operations on the packets that are retrieved from the memory, wherein the packet processor includes a second memory to store a first portion of a control policy; and

a third memory to store a second portion of the control policy, wherein the packet processor is configured to;

apply the first portion of the control policy to at least one of the retrieved packets,search the third memory for the second portion of the control policy, andapply, following the search, the second portion of the control policy to the at least one retrieved packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine coupled to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy.

28 Citations

View as Search Results

20 Claims

1. A network device comprising:
- an interface to receive a plurality of packets from a network;
  
  a first memory to store the packets;
  
  a controller to coordinate transfer of the packets to and from the memory;
  
  a packet processor to perform a plurality of processing operations on the packets that are retrieved from the memory, wherein the packet processor includes a second memory to store a first portion of a control policy; and
  
  a third memory to store a second portion of the control policy, wherein the packet processor is configured to;
  
  apply the first portion of the control policy to at least one of the retrieved packets,search the third memory for the second portion of the control policy, andapply, following the search, the second portion of the control policy to the at least one retrieved packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The network device of claim 1, wherein the first portion of the control policy includes a pointer to the second portion of the control policy.
  - 3. The network device of claim 1, wherein the packet processor further includes at least two of a direct memory access engine, a firewall engine, an encryption/decryption engine, or an authentication engine.
  - 4. The network device of claim 3, wherein the at least two engines are configured to operate in parallel with respect to the second packet.
  - 5. The network device of claim 4, wherein the parallel operations do not degrade a performance of either of the at least two engines.
  - 6. The network device of claim 1, wherein the plurality of processing operations include at least two of authentication, encryption, decryption, virtual private network (VPN), or firewall services.
  - 7. The network device of claim 6, wherein the at least two operations are performed in parallel with respect to the second packet.
  - 8. The network device of claim 1, wherein the plurality of processing operations include at least two of data encryption standard (DES) encryption, message digest 5 (MD5) authentication, triple DES encryption, or secure hash algorithm (SHA1) authentication.
  - 9. The network device of claim 8, wherein the at least two processing operations are performed in parallel with respect to the second packet without causing interruption to either of the at least two processing operations.
  - 10. The network device of claim 8, wherein the packet processor is further configured to initiate a first of the at least two processing operations within a plurality of clock cycles following an initiation and without interruption of a second of the at least two packet processing operations.

11. A method comprising:
- receiving, at a network device, a plurality of packets from a first network which are destined for a second network;
  
  transferring, via a first bus, a first one of the received packets for storage within the network device;
  
  retrieving, via a second bus, the first packet from storage; and
  
  performing a plurality of security-related packet processing operations on the retrieved packet, and concurrently transferring, via the first bus, a second one of the received packets for storage within the network device.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, wherein the plurality of security-related packet processing operations comprise at least two of authentication, encryption, decryption, virtual private network (VPN), or firewall services.
  - 13. The method of claim 12, wherein the at least two security-related packet processing operations are performed in parallel.
  - 14. The method of claim 12, wherein a first of the at least two security-related packet processing operations is initiated within a plurality of clock cycles following an initiation and without interruption of a second of the at least two security-related packet processing operations.
  - 15. The method of claim 11, wherein the plurality of security-related packet processing operations comprise at least two of data encryption standard (DES) encryption, message digest 5 (MD5) authentication, triple DES encryption, or secure hash algorithm (SHA1) authentication.
  - 16. The method of claim 15, wherein the at least two security-related packet processing operations are performed in parallel.

17. A communication system comprising:
- means for receiving a plurality of packets from a network;
  
  means for storing the packets;
  
  means for coordinating transfer of the packets to and from storage;
  
  means for performing a plurality of security-related processing operations on the packets that are retrieved from storage;
  
  means for conveying a first one of the packets between the means for coordinating transfer and storage; and
  
  means for conveying a second one of the packets between storage and the means for performing security-related processing, wherein the first and second packets are conveyed concurrently.
- View Dependent Claims (18, 19, 20)
- - 18. The communication system of claim 17, wherein the means for performing the plurality of security-related processing operations comprises:
    - means for achieving direct storage access,means for screening the packets that are retrieved from storage,means for encrypting or decrypting the packets that are retrieved from storage, andmeans for authenticating the packets that are retrieved from storage.
  - 19. The communication system of claim 18, wherein the means for encrypting or decrypting the packets and the means for authenticating the packets are configured to operate in parallel with respect to the second packet.
  - 20. The communication system of claim 18, wherein the means for encrypting or decrypting the packets comprises:
    - means for performing at least one of data encryption standard (DES) encryption, or triple DES encryption.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Luo, Dongping, Ke, Yan, Deng, Feng
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
POLTORAK, PIOTR

Application Number

US10/765,677
Publication Number

US 20040158744A1
Time in Patent Office

1,548 Days
Field of Search

711/100, 726/11, 726/12, 726/1
US Class Current

726/11
CPC Class Codes

H04L 49/90   Buffering arrangements

H04L 49/901   using storage descriptor, e...

H04L 49/9057   Arrangements for supporting...

H04L 63/02   for separating internal fro...

H04L 69/16   Implementation or adaptatio...

H04L 69/22   Parsing or analysis of headers

H04L 9/40   Network security protocols

Firewall including local bus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall including local bus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links