Distributed network security system and a hardware processor therefor

US 7,415,723 B2
Filed: 02/20/2004
Issued: 08/19/2008
Est. Priority Date: 06/11/2002
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. A network system comprising:

a network configured to transport network traffic, wherein said network comprises a plurality of distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprises at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor,said hardware processor comprising;

a protocol processing engine to do transport layer protocol processing;

a programmable rule-matching engine to analyze the network traffic for security rule matching or taking actions on matched security rules;

an authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols; and

a packet classification engine to classify the network traffic.

View all claims

5 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

An architecture provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol layer and may also provide packet inspection through Layer 7. A set of engines may perform pass-through packet classification, policy processing and/or security processing enabling packet streaming through the architecture at nearly the full line rate. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database for a certain number of active sessions. The session information that is not in the internal memory is stored and retrieved to/from an additional memory. An application running on an initiator or target can in certain instantiations register a region of memory, which is made available to its peer(s) for access directly without substantial host intervention through RDMA data transfer. A security system is also disclosed that enables a new way of implementing security capabilities inside enterprise networks in a distributed manner using a protocol processing hardware with appropriate security features.

Citations

35 Claims

1. A network system comprising:
- a network configured to transport network traffic, wherein said network comprises a plurality of distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprises at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor,said hardware processor comprising;
  
  a protocol processing engine to do transport layer protocol processing;
  
  a programmable rule-matching engine to analyze the network traffic for security rule matching or taking actions on matched security rules;
  
  an authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols; and
  
  a packet classification engine to classify the network traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The network system of claim 1, further comprising:
    - a. at least one central manager for compiling and distributing security rules; and
      
      b. at least one security policy driver to communicate with the central manager and to set up rules in said hardware processor to analyze and enforce security based on said rules.
  - 3. The network system of claim 2, wherein said network comprises at least one network system, wherein the central manager comprises at least one of:
    - a. A Security Policy Developer Interface for entering security policy;
      
      b. A Security Rules Compiler for compiling security policies into rules;
      
      c. A Rules Distribution Engine to distribute rules to said at least one network system;
      
      d. A Security Policy Manager Interface to manage said at least one network system;
      
      e. A Security Monitoring Engine to monitor said network;
      
      f. An event collection/management engine to manage said network and collect events or reports from at least one of said at least one network system;
      
      org. a combination of any of the foregoing.
  - 4. The network system of claim 2, wherein at least one of said distributed security systems provides security based on rules for:
    - a. OSI protocol layer two to provide layer two or MAC layer filtering;
      
      orb. OSI protocol layer three to provide layer three or network layer filtering;
      
      orc. OSI protocol layer four to provide layer four or transport layer filtering;
      
      ord. OSI protocol layers five through seven to provide upper layer or application layer filtering;
      
      ore. a combination of any of the foregoing.
  - 5. The network system of claim 2, wherein at least one of the at least one policy drivers executes on said hardware processor or said at least one host processor.
  - 6. The network system of claim 1, further comprising at least one security protocol comprising IPSEC, OPSEC, SSL, TLS, AES, DES, 3DES, SHA1, MD4, MD5, RSA, CHAP, Kerberos, a proprietary protocol, or a combination of any of the foregoing.
  - 7. The network system of claim 1, said network system including multiple protocol layer security that includes security functions performed at one or more protocol layers of the OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, unauthorized access, or a combination of any of the foregoing.
  - 8. The network system of claim 1 wherein said network comprises at least one network system, wherein said at least one networked system comprises a blade server, thin server, media server, streaming media server, appliance server, Unix server, Linux server, Windows or Windows derivative server, AIX server, clustered server, database server, grid computing server, VOIP server, wireless gateway server, security server, file server, network attached storage server, game server, router, switch, wireless access point, workstation, desktop computer, notebook computer, laptop computer, utility computing system or gateway device or a combination of any of the foregoing.
  - 9. The network system of claim 1, wherein said packet processing steps include header processing or deep packet processing or a combination thereof.
  - 10. A network system in accordance with claim 1, wherein said hardware processor is configured to analyze the network traffic communicated at a rate of at least one of 1 Gigabits per second and 10 Gigabits per second.

11. A security system comprising:
- a storage area network configured to transport storage area network traffic, wherein said storage area network comprises at least one network system, wherein said at least one network system comprises a hardware processor providing transport layer protocol processing,said hardware processor comprising;
  
  a storage protocol processing engine to do storage protocol processing;
  
  a protocol processing engine to do transport layer protocol processing;
  
  a programmable rule-matching engine to analyze the storage area network traffic for security rule matching or taking actions on matched security rules;
  
  an authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols;
  
  a packet classification engine to classify the storage area network traffic; and
  
  a packet processing engine to perform packet processing tasks like header processing or deep packet processing,said security system providing multiple protocol layer security in said storage area network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The security system of claim 11, further comprising:
    - a. at least one central manager for compiling and distributing storage area network security rules; and
      
      b. at least one security policy driver to communicate with the central manager to set up rules in said hardware processor to analyze and enforce storage area network security based on said rules.
  - 13. The security system of claim 12, wherein the central manager comprises at least one of:
    - a. A Security Policy Developer Interface for entering security policy;
      
      b. A Security Rules Compiler for compiling security policies into rules;
      
      c. A Rules Distribution Engine to distribute rules to the said at least one network system;
      
      d. A Security Policy Manager Interface to manage said at least one network system;
      
      e. A Security Monitoring Engine to monitor said network;
      
      f. An event collection/management engine to manage said network and collect events or reports from said at least one network system;
      
      org. a combination of any of the foregoing.
  - 14. The security system of claim 12, wherein said at least one network system provides security based on rules fora. OSI protocol layer two to provide layer two or MAC layer filtering;
    - orb. OSI protocol layer three to provide layer three or network layer filtering;
      
      orc. OSI protocol layer four to provide layer four or transport layer filtering;
      
      ord. OSI protocol layers five through seven to provide upper layer or application layer filtering;
      
      ore. Storage protocol layer to provide storage protocol layer filtering;
      
      orf. a combination of any of the foregoing.
  - 15. The security system of claim 12, further comprising a policy driver that executes on said hardware processor or on a host processor of said at least one network system.
  - 16. The security system of claim 11, further comprising at least one security protocol comprising IPSEC, OPSEC, SSL, TLS, AES, DES, 3DES, SHA1, MD4, MD5, RSA, CHAP, Kerberos, a proprietary protocol or a combination of any of the foregoing.
  - 17. The security system of claim 11, wherein the multiple protocol layer security comprises a plurality of security functions performed at one or more protocol layers of an OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, unauthorized access, or a combination of any of the foregoing.
  - 18. A security system in accordance with claim 11, wherein said storage area network is configured to implement a Small Computer System Interface over Internet (iSCSI) protocol.

19. A security system comprising:
- a network configured to transport network traffic, wherein said network comprises a hardware processor providing a remote direct memory access (RDMA) capability and configured to offload transport layer protocol processing from a host processor that commands said hardware processor;
  
  said hardware processor comprising;
  
  an RDMA mechanism for performing RDMA data transfer;
  
  a protocol processing engine to do transport layer protocol processing;
  
  a programmable rule-matching engine to analyze the network traffic for security rule matching or taking actions on matched security rules;
  
  an authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols; and
  
  a packet classification engine to classify the network traffic,said security system providing multiple protocol layer security in said network.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The security system of claim 19, further comprising:
    - a. at least one central manager for compiling and distributing security rules; and
      
      b. at least one security policy driver to communicate with the central manager to set up rules in said hardware processor to analyze and enforce security based on said rules.
  - 21. The security system of claim 20 wherein said network comprises at least one network system, and the central manager comprises at least one of:
    - a. A Security Policy Developer Interface for entering security policy;
      
      b. A Security Rules Compiler for compiling security policies into rules;
      
      c. A Rules Distribution Engine to distribute rules to said one network system;
      
      d. A Security Policy Manager Interface to manage said at least one network system;
      
      e. A Security Monitoring Engine to monitor said network;
      
      f. An event collection/management engine to manage said network and collect events or reports from said at least one network system;
      
      org. a combination of any of the foregoing.
  - 22. The security system of claim 20 wherein said network comprises at least one network system, said at least one network system provides security based on rules fora. OSI protocol layer two to provide layer two or MAC layer filtering;
    - orb. OSI protocol layer three to provide layer three or network layer filtering;
      
      orc. OSI protocol layer four to provide layer four or transport layer filtering;
      
      ord. OSI protocol layers five through seven to provide upper layer or application layer filtering;
      
      ore. a combination of any of the foregoing.
  - 23. The security system of claim 20, wherein the at least one policy driver executes on said hardware processor or on said host processor.
  - 24. The security system of claim 19, further comprising at least one security protocol comprising IPSEC, OPSEC, SSL, TLS, AES, DES, 3DES, SHA1, MD4, MD5, RSA, CHAP, Kerberos, a proprietary protocol or a combination of any of the foregoing.
  - 25. The security system of claim 19, wherein the multiple protocol layer security comprises a plurality of security functions performed at one or more protocol layers of an OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, unauthorized access, or a combination of any of the foregoing.
  - 26. The security system of claim 19 wherein said network comprises at least one network system, wherein said at least one network system comprises a blade server, thin server, media server, streaming media server, appliance server, Unix server, Linux server, Windows or Windows derivative server, AIX server, clustered server, database server, grid computing server, VOIP server, wireless gateway server, security server, file server, network attached storage server, game server, router, switch, wireless access point, workstation, desktop computer, notebook computer, laptop computer, utility computing system or gateway device or a combination of any of the foregoing.

27. A network system comprising:
- a network configured to transport network traffic, wherein said network comprises a plurality of distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprise at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor of said distributed security systems, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor;
  
  said hardware processor comprisinga protocol processing engine to do transport layer protocol processing;
  
  ora programmable rule-matching engine to analyze the network traffic for security rule matching or taking actions on matched security rules;
  
  oran authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols;
  
  ora packet classification engine to classify the network traffic;
  
  ora packet processing engine to perform packet processing tasks like header processing or deep packet processing or a combination thereof;
  
  ora combination of the foregoing.

28. A network system comprising:
- a network comprising a plurality of distributed security systems and one or more networked systems, each of said distributed security systems comprising at least one host processor, and at least one of said distributed security systems comprising a first hardware processor and a second hardware processor configured to offload overhead of a protocol processing stack from said at least one host processor said distributed security systems providing a secure operating environment for said protocol processing stack for trusted computing needs of one or more of said networked systems by providing a policy driver for setting up the second hardware processor for a first set of security policy rules to be enforced by said second hardware processor, and a central manager for compiling and distributing said rules of the first set and monitoring the enforcement of said rules of the first set by said second hardware processor, wherein said central manager is configured to provide a second set of security policy rules to said first hardware processor, wherein the rules within the second set are different than the rules within the first set.

29. A network system comprising:
- a network comprising a plurality of distributed security systems and one or more networked systems of one or more types, said distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprise at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor, said hardware processor comprising a protocol processing engine to do transport layer protocol processing.
- View Dependent Claims (30, 31, 32)
- - 30. The network system of claim 29, wherein said network transports network traffic, said hardware processor further comprising:
    - a programmable rule-matching engine for analyzing the network traffic for security rule matching or taking actions on matched security rules;
      
      an authentication engine for performing encryption, decryption, authorization or authentication using standard or proprietary security protocols;
      
      a packet classification engine to classify the network traffic;
      
      ora packet processing engine to perform packet processing tasks;
      
      ora combination of the foregoing.
  - 31. The network system of claim 30, wherein said packet processing tasks comprise header processing, deep packet processing or a combination thereof.
  - 32. The network system of claim 29, further comprising multiple protocol layer security that comprises security functions performed at one or more protocol layers of an OSI stack to provide packet filtering, intrusion detection, denial of service attack detection, port scanning detection, virus scan, spam filtering, unauthorized access, or detect other security attacks or a combination of any of the foregoing.

33. A network system comprising:
- a network configured to transport network traffic, wherein said network comprises a plurality of distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprise at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor,said hardware processor comprising;
  
  a protocol processing engine to do transport layer protocol processing; and
  
  a programmable rule-matching engine for analyzing the network traffic for security rule matching or taking actions on matched security rules.

34. A network system comprising:
- a network configured to transport network traffic, wherein said network comprises a plurality of distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprise at least one host processor, and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor,said hardware processor comprising;
  
  a protocol processing engine for performing transport layer protocol processing;
  
  a programmable rule-matching engine for analyzing the network traffic for security rule matching or taking actions on matched security rules; and
  
  an authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols.

35. A network system comprising a network further comprising a plurality of distributed security systems and at least one network system, wherein each of said distributed security systems comprises at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of at least one of a transport layer protocol processing stack and a network layer protocol processing stack from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor, said distributed security systems providing a secure operating environment for said protocol processing stack for trusted computing needs of said at least one network system and said distributed network security systems providing multiple protocol layer security in said network.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Memory Access Technologies LLC
Original Assignee
Ashish A. Pandya
Inventors
Pandya, Ashish A.
Primary Examiner(s)
NGUYEN, HANH N

Application Number

US10/783,890
Publication Number

US 20040165588A1
Time in Patent Office

1,642 Days
Field of Search

370/389, 370/349, 370/469, 370/395.5, 370/395.6, 370/464, 370/352, 709/229, 709/230, 709/223, 709/224, 726/12, 726/13, 726/34, 726/204
US Class Current

726/13
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0272   Virtual private networks

H04L 67/1097   for distributed storage of ...

H04L 69/12   Protocol engines

Distributed network security system and a hardware processor therefor

First Claim

5 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed network security system and a hardware processor therefor

First Claim

5 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links