Distributed network security system and a hardware processor therefor
DCFirst Claim
1. A network system comprising:
- a network configured to transport network traffic, wherein said network comprises a plurality of distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprises at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor,said hardware processor comprising;
a protocol processing engine to do transport layer protocol processing;
a programmable rule-matching engine to analyze the network traffic for security rule matching or taking actions on matched security rules;
an authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols; and
a packet classification engine to classify the network traffic.
5 Assignments
Litigations
0 Petitions
Accused Products
Abstract
An architecture provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol layer and may also provide packet inspection through Layer 7. A set of engines may perform pass-through packet classification, policy processing and/or security processing enabling packet streaming through the architecture at nearly the full line rate. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database for a certain number of active sessions. The session information that is not in the internal memory is stored and retrieved to/from an additional memory. An application running on an initiator or target can in certain instantiations register a region of memory, which is made available to its peer(s) for access directly without substantial host intervention through RDMA data transfer. A security system is also disclosed that enables a new way of implementing security capabilities inside enterprise networks in a distributed manner using a protocol processing hardware with appropriate security features.
-
Citations
35 Claims
-
1. A network system comprising:
-
a network configured to transport network traffic, wherein said network comprises a plurality of distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprises at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor, said hardware processor comprising; a protocol processing engine to do transport layer protocol processing; a programmable rule-matching engine to analyze the network traffic for security rule matching or taking actions on matched security rules; an authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols; and a packet classification engine to classify the network traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A security system comprising:
-
a storage area network configured to transport storage area network traffic, wherein said storage area network comprises at least one network system, wherein said at least one network system comprises a hardware processor providing transport layer protocol processing, said hardware processor comprising; a storage protocol processing engine to do storage protocol processing; a protocol processing engine to do transport layer protocol processing; a programmable rule-matching engine to analyze the storage area network traffic for security rule matching or taking actions on matched security rules; an authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols; a packet classification engine to classify the storage area network traffic; and a packet processing engine to perform packet processing tasks like header processing or deep packet processing, said security system providing multiple protocol layer security in said storage area network. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A security system comprising:
- a network configured to transport network traffic, wherein said network comprises a hardware processor providing a remote direct memory access (RDMA) capability and configured to offload transport layer protocol processing from a host processor that commands said hardware processor;
said hardware processor comprising; an RDMA mechanism for performing RDMA data transfer; a protocol processing engine to do transport layer protocol processing; a programmable rule-matching engine to analyze the network traffic for security rule matching or taking actions on matched security rules; an authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols; and a packet classification engine to classify the network traffic, said security system providing multiple protocol layer security in said network. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- a network configured to transport network traffic, wherein said network comprises a hardware processor providing a remote direct memory access (RDMA) capability and configured to offload transport layer protocol processing from a host processor that commands said hardware processor;
-
27. A network system comprising:
-
a network configured to transport network traffic, wherein said network comprises a plurality of distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprise at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor of said distributed security systems, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor; said hardware processor comprising a protocol processing engine to do transport layer protocol processing;
ora programmable rule-matching engine to analyze the network traffic for security rule matching or taking actions on matched security rules;
oran authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols;
ora packet classification engine to classify the network traffic;
ora packet processing engine to perform packet processing tasks like header processing or deep packet processing or a combination thereof;
ora combination of the foregoing.
-
-
28. A network system comprising:
a network comprising a plurality of distributed security systems and one or more networked systems, each of said distributed security systems comprising at least one host processor, and at least one of said distributed security systems comprising a first hardware processor and a second hardware processor configured to offload overhead of a protocol processing stack from said at least one host processor said distributed security systems providing a secure operating environment for said protocol processing stack for trusted computing needs of one or more of said networked systems by providing a policy driver for setting up the second hardware processor for a first set of security policy rules to be enforced by said second hardware processor, and a central manager for compiling and distributing said rules of the first set and monitoring the enforcement of said rules of the first set by said second hardware processor, wherein said central manager is configured to provide a second set of security policy rules to said first hardware processor, wherein the rules within the second set are different than the rules within the first set.
-
29. A network system comprising:
a network comprising a plurality of distributed security systems and one or more networked systems of one or more types, said distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprise at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor, said hardware processor comprising a protocol processing engine to do transport layer protocol processing. - View Dependent Claims (30, 31, 32)
-
33. A network system comprising:
-
a network configured to transport network traffic, wherein said network comprises a plurality of distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprise at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor, said hardware processor comprising; a protocol processing engine to do transport layer protocol processing; and a programmable rule-matching engine for analyzing the network traffic for security rule matching or taking actions on matched security rules.
-
-
34. A network system comprising:
-
a network configured to transport network traffic, wherein said network comprises a plurality of distributed security systems providing multiple protocol layer security, wherein each of said distributed security systems comprise at least one host processor, and said distributed security systems comprise a hardware processor offloading overhead of transport layer protocol processing from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor, said hardware processor comprising; a protocol processing engine for performing transport layer protocol processing; a programmable rule-matching engine for analyzing the network traffic for security rule matching or taking actions on matched security rules; and an authentication engine to do encryption, decryption, authorization or authentication using standard or proprietary security protocols.
-
-
35. A network system comprising a network further comprising a plurality of distributed security systems and at least one network system, wherein each of said distributed security systems comprises at least one host processor and said distributed security systems comprise a hardware processor offloading overhead of at least one of a transport layer protocol processing stack and a network layer protocol processing stack from said at least one host processor, wherein said hardware processor is other than said at least one host processor and is configured to receive a command from said at least one host processor, said distributed security systems providing a secure operating environment for said protocol processing stack for trusted computing needs of said at least one network system and said distributed network security systems providing multiple protocol layer security in said network.
Specification