Method and system for network security

US 7,562,389 B1
Filed: 07/30/2004
Issued: 07/14/2009
Est. Priority Date: 07/30/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a packet at a physical interface of a network security gateway, wherein the packet is tagged with a first virtual local area network (VLAN) identifier associated with an external network;

communicating a copy of the packet to a first processor;

analyzing the copy of the packet at the first processor to determine whether the packet violates a security condition;

communicating a reply message from the first processor to the interface indicating whether the packet violates a security condition; and

if the packet does not violate a security condition;

at the physical interface, re-tagging the packet with a second VLAN identifier associated with a protected network; and

communicating the re-tagged packet to the protected network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with one embodiment of the present invention, a method includes receiving a packet at a physical interface of a network security gateway. The packet is tagged with a first VLAN identifier associated with an external network. The method also includes communicating a copy of the packet to a first processor, analyzing the copy of the packet at the first processor to determine whether the packet violates a security condition, and communicating a reply message from the first processor to the interface. The reply message indicates whether the packet violates a security condition. If the packet does not violate a security condition, the method includes re-tagging the packet with a second VLAN identifier associated with a protected network by using a second processor at the physical interface. The method further includes communicating the re-tagged packet to the protected network if the packet does not violate a security condition.

Citations

29 Claims

1. A method, comprising:
- receiving a packet at a physical interface of a network security gateway, wherein the packet is tagged with a first virtual local area network (VLAN) identifier associated with an external network;
  
  communicating a copy of the packet to a first processor;
  
  analyzing the copy of the packet at the first processor to determine whether the packet violates a security condition;
  
  communicating a reply message from the first processor to the interface indicating whether the packet violates a security condition; and
  
  if the packet does not violate a security condition;
  
  at the physical interface, re-tagging the packet with a second VLAN identifier associated with a protected network; and
  
  communicating the re-tagged packet to the protected network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the security condition comprises an attack signature.
  - 3. The method of claim 1, wherein the security condition comprises a firewall policy.
  - 4. The method of claim 1, further comprising:
    - receiving the packet from the external network at a network gateway;
      
      tagging the packet with the first VLAN identifier at the network gateway; and
      
      communicating the packet to the interface.
  - 5. The method of claim 4, wherein the step of communicating the re-tagged packet to the protected network comprises:
    - communicating the re-tagged packet to a first port of the network gateway; and
      
      communicating the re-tagged packet to the protected network using a second port of the network gateway.
  - 6. The method of claim 4, wherein communicating the packet to the interface comprises:
    - generating a copy of the packet for each of a plurality of ports of the network gateway, wherein one of the ports is coupled to the interface; and
      
      communicating one of the copies of the packet from each of the ports.
  - 7. The method of claim 1, wherein a size of the reply message is less than the size of the packet.
  - 8. The method of claim 1, and further comprising modifying a VLAN field of a bridge protocol data unit (BPDU) associated with the packet to store the second VLAN identifier if the packet does not violate a security condition.

9. Logic embodied in a computer-readable storage medium operable to perform steps comprising:
- receiving a packet at a physical interface of a network security gateway, wherein the packet is tagged with a first virtual local area network (VLAN) identifier associated with an external network;
  
  communicating a copy of the packet to a first processor;
  
  analyzing the copy of the packet at the first processor to determine whether the packet violates a security condition;
  
  communicating a reply message from the first processor to the interface indicating whether the packet violates a security condition; and
  
  if the packet does not violate a security condition;
  
  at the physical interface, re-tagging the buffered copy of the packet with a second VLAN identifier associated with a protected network; and
  
  communicating the re-tagged packet to the protected network.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The logic of claim 9, wherein the security condition comprises an attack signature.
  - 11. The logic of claim 9, wherein the security condition comprises a firewall policy.
  - 12. The logic of claim 9, further operable to perform steps further comprising:
    - receiving the packet from the external network at a network gateway;
      
      tagging the packet with the first VLAN identifier at the network gateway; and
      
      communicating the packet to the interface.
  - 13. The logic of claim 12, wherein the step of communicating the re-tagged packet to the protected network comprises:
    - communicating the re-tagged packet to a first port of the network gateway; and
      
      communicating the re-tagged packet to the protected network using a second port of the network gateway.
  - 14. The logic of claim 12, wherein the step of communicating the packet to the interface comprises:
    - generating a copy of the packet for each of a plurality of ports of the network gateway, wherein one of the ports is coupled to the interface; and
      
      communicating one of the copies of the packet from each of the ports.
  - 15. The logic of claim 9, wherein a size of the reply message is less than the size of the packet.
  - 16. The logic of claim 9, further operable to perform the step of modifying a VLAN field of a bridge protocol data unit (BPDU) associated with the packet to store the second VLAN identifier if the packet does not violate a security condition.

17. A system, comprising:
- means for receiving a packet at a physical interface of a network security gateway, wherein the packet is tagged with a first VLAN identifier associated with an external network;
  
  means for communicating a copy of the packet to a first processor;
  
  means for analyzing the copy of the packet at the first processor to determine whether the packet violates a security condition;
  
  means for communicating a reply message from the first processor to the interface indicating whether the packet violates a security condition;
  
  means at the physical interface operable for re-tagging the buffered copy of the packet with a second VLAN identifier associated with a protected network if the packet does not violate a security condition; and
  
  means for communicating the re-tagged packet to the protected network.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17, wherein the security condition comprises an attack signature.
  - 19. The system of claim 17, wherein the security condition comprises a firewall policy.
  - 20. The system of claim 17, further comprising:
    - means for receiving the packet from the external network at a network gateway;
      
      means for tagging the packet with the first VLAN identifier at the network gateway; and
      
      means for communicating the packet to the interface.
  - 21. The system of claim 17, and further comprising means for modifying a VLAN field of a bridge protocol data unit (BPDU) associated with the packet to store the second VLAN identifier if the packet does not violate a security condition.

22. A system, comprising:
- an interface operable to;
  
  receive a packet, wherein the packet is tagged with a first virtual local area network (VLAN) identifier associated with an external network;
  
  communicate a copy of the packet to a processor;
  
  re-tag the packet with a second VLAN identifier associated with a protected network; and
  
  communicate the packet to the protected network; and
  
  the processor operable to;
  
  analyze the copy of the packet to determine if it violates a security condition; and
  
  communicate a reply message to the interface indicating whether the packet violates a security condition, wherein the interface re-tags and communicates the packet if the reply message indicates that the packet does not violate a security condition.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The system of claim 22, wherein the security condition comprises an attack signature.
  - 24. The system of claim 22, wherein the security condition comprises a firewall policy.
  - 25. The system of claim 22, further comprising a network gateway operable to:
    - receive the packet from the external network;
      
      tag the packet with the first VLAN identifier at the network gateway; and
      
      communicate the packet to the interface.
  - 26. The system of claim 25, wherein:
    - the interface is further operable to communicate the re-tagged packet to a first port of the network gateway; and
      
      the network gateway is further operable to communicate the re-tagged packet to the protected network using a second port of the network gateway.
  - 27. The system of claim 25, wherein the network gateway is further operable to:
    - generate a copy of the packet for each of a plurality of ports of the network gateway, wherein one of the ports is coupled to the interface; and
      
      communicate one of the copies of the packet from each of the ports.
  - 28. The system of claim 22, wherein a size of the reply message is less than the size of the packet.
  - 29. The system of claim 22, wherein the processor is further operable to modify the field of a VLAN field of a bridge protocol data unit (BPDU) associated with the packet to store the second VLAN identifier if the packet does not violate a security condition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gupta, Rahul, Goyal, Rajan, Kaluve, Shyamasundar S., Prabhu, Kirtikumar L., Paggen, Christophe J., Mihailovici, Virgil N., Habib, Ahsan, Monclus, Pere
Primary Examiner(s)
NGUYEN, MINH DIEU T

Application Number

US10/903,391
Time in Patent Office

1,810 Days
Field of Search

726 11- 12, 726/22, 713153-154, 709238-244, 370/355, 370/359, 370/401
US Class Current

726/22
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1408 by monitoring network traff...

Method and system for network security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for network security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links