VPN and firewall integrated system

US 7,596,806 B2
Filed: 09/08/2003
Issued: 09/29/2009
Est. Priority Date: 09/06/2002
Status: Active Grant

First Claim

Patent Images

1. An integrated firewall/VPN system, comprising:

at least one wide area network (WAN);

at least one local area network (LAN); and

an integrated firewall/VPN chipset configured to send and receive data packets between said WAN and said LAN, said chipset comprising;

a firewall comprising a first layer including a header match packet filtering engine configured to provide pattern matching in selected headers of data, a second layer including a contents match packet filtering engine configured to analyze the scope of at least one data packet, a third layer including at least one application proxy configured to provide additional pattern matching using a hardware engine configured to provide pre-analysis processing to reduce the workload of a central processing unit (CPU) and a fourth layer including a session match engine configured to store a TCP/UDP connection setup in a look-up-table and to forward the setup progress to said CPU for tracking;

a VPN configured to provide security functions for data between said LAN and said WAN, wherein said security functions are selected from the group consisting of encryption, decryption, encapsulation, and decapsulation of said data packets, said VPN including a VPN packet buffer configured to receive at least one of said data packets and to forward said at least one data packet to an inbound VPN processor configured to decrypt and decapsulate said at least one data packet, said VPN further including an inbound security database having a database of tunnels configured to provide said inbound VPN processor with tunnel information used to decrypt and decapsulate said at least one data packet, said VPN further including protocol instructions having microcodes configured to instruct said VPN processor to decrypt and decapsulate said at least one data packet according to a user-defined security procedure; and

an interface configured to determine if said data packets are plain text or cipher text, said interface further configured to forward a preselected number of bytes to said firewall if said data packets are plain text, said interface further configured to forward said data packets to said VPN if said data packets are cipher text.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides an integrated VPN/firewall system that uses bath hardware (firmware) and software to optimize the efficiency of both VPN and firewall functions. The hardware portions of the VPN and firewall are designed in flexible and scalable layers to permit high-speed processing without sacrificing system security. The software portions are adapted to provide interfacing with hardware components, report and rules management control.

45 Citations

View as Search Results

14 Claims

1. An integrated firewall/VPN system, comprising:
- at least one wide area network (WAN);
  
  at least one local area network (LAN); and
  
  an integrated firewall/VPN chipset configured to send and receive data packets between said WAN and said LAN, said chipset comprising;
  
  a firewall comprising a first layer including a header match packet filtering engine configured to provide pattern matching in selected headers of data, a second layer including a contents match packet filtering engine configured to analyze the scope of at least one data packet, a third layer including at least one application proxy configured to provide additional pattern matching using a hardware engine configured to provide pre-analysis processing to reduce the workload of a central processing unit (CPU) and a fourth layer including a session match engine configured to store a TCP/UDP connection setup in a look-up-table and to forward the setup progress to said CPU for tracking;
  
  a VPN configured to provide security functions for data between said LAN and said WAN, wherein said security functions are selected from the group consisting of encryption, decryption, encapsulation, and decapsulation of said data packets, said VPN including a VPN packet buffer configured to receive at least one of said data packets and to forward said at least one data packet to an inbound VPN processor configured to decrypt and decapsulate said at least one data packet, said VPN further including an inbound security database having a database of tunnels configured to provide said inbound VPN processor with tunnel information used to decrypt and decapsulate said at least one data packet, said VPN further including protocol instructions having microcodes configured to instruct said VPN processor to decrypt and decapsulate said at least one data packet according to a user-defined security procedure; and
  
  an interface configured to determine if said data packets are plain text or cipher text, said interface further configured to forward a preselected number of bytes to said firewall if said data packets are plain text, said interface further configured to forward said data packets to said VPN if said data packets are cipher text.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system as claimed in claim 1, wherein said chipset further comprises a router adapted to route data between said WAN and said LAN.
  - 3. The system as claimed in claim 1, wherein said firewall is configured to provide static and/or dynamic data packet filtering.
  - 4. The system as claimed in claim 3, wherein said header match packet filtering engine is configured to provide pattern matching in selected headers of said data and their combination from L2, L3 and L4 headers.
  - 5. The system as claimed in claim 1, wherein said chipset is further configured to analyze access control functions based on preselected bytes of said data packets.
  - 6. The system as claimed in claim 5, wherein said preselected bytes comprise the first 144 bytes of said data packet.
  - 7. The system as claimed in claim 1, wherein said firewall further includes access control functions comprising user-defined access control protocols.

8. A firewall/VPN integrated circuit (IC), comprising:
- a router core configured to interface between at least one untrusted network and at least one trusted network to send and receive data packets between said untrusted and said trusted networks;
  
  a firewall system, comprising a first layer including a header match packet filtering engine configured to provide pattern matching in selected headers of data, a second layer including a contents match packet filtering engine configured to analyze the scope of at least one data packet, a third layer including at least one application proxy configured to provide additional pattern matching using a hardware engine configured to provide pre-analysis processing to reduce the workload of a central processing unit (CPU) and a fourth layer including a session match engine configured to store a TCP/UDP connection setup in a look-up-table and to forward the setup progress to said CPU for tracking;
  
  a VPN configured to provide security functions for data between said at least one untrusted and said at least one trusted network, wherein said security functions comprise encryption, decryption, encapsulation, and decapsulation of said data packets, said VPN including a VPN packet buffer configured to receive at least one of said data packets and to forward said at least one data packet to an inbound VPN processor configured to decrypt and decapsulate said at least one data packet, said VPN further including an inbound security database having a database of tunnels configured to provide said inbound VPN processor with tunnel information used to decrypt and decapsulate said at least one data packet, said VPN further including protocol instructions having microcodes configured to instruct said VPN processor to decrypt and decapsulate said at least one data packet according to a user-defined security procedure; and
  
  an interface configured to determine if said data packets are plain text or cipher text, said interface further configured to forward a preselected number of bytes to said firewall if said data packets are plain text, said interface further configured to forward said data packets to said VPN if said data packets are cipher text.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The IC as claimed in claim 8, wherein said firewall system is configured to provide static and/or dynamic data packet filtering.
  - 10. The IC as claimed in claim 9, header match packet filtering circuit is configured to provide pattern matching in selected headers of said data and their combination from L2, L3 and L4 headers.
  - 11. The IC as claimed in claim 8, wherein said firewall system is further configured to analyze access control functions based on preselected bytes of said data packets.
  - 12. The IC as claimed in claim 11, wherein said preselected bytes comprise the first 144 bytes of said data packet.
  - 13. The IC as claimed in claim 8, wherein said firewall system further includes access control functions comprising user-defined access control protocols.

14. A method of providing firewall access control functions, comprising the steps of;
- defining one or more access control protocols;
  
  receiving a data packet at an interface and determining if said data packet is plain text or cipher text, and forwarding a preselected number of bytes to a firewall system if said data packets includes plain text and forwarding said data packets to a VPN if said data packet includes cipher text;
  
  selecting a certain number of bytes of said data packet if said data packet includes plain text;
  
  processing said selected bytes using said access control protocols via said firewall system, said firewall system comprising a first layer including a header match packet filtering engine configured to provide pattern matching in selected headers of data, a second layer including a contents match packet filtering engine configured to analyze the scope of said data packet, a third layer including at least one application proxy configured to provide additional pattern matching using a hardware engine configured to provide pre-analysis processing to reduce the workload of a central processing unit (CPU) and a fourth layer including a session match engine configured to store a TCP/UDP connection setup in a look-up-table and to forward the setup progress to said CPU for tracking; and
  
  receiving at least one cipher text data packet at a VPN configured to provide security functions for data between said LAN and said WAN, wherein said security functions are selected from the group consisting of encryption, decryption, encapsulation, and decapsulation of said at least one cipher text data packet, said VPN including a VPN packet buffer configured to receive said at least one cipher text data packet and to forward said at least one cipher text data packet to an inbound VPN processor configured to decrypt and decapsulate said at least one cipher text data packet, said VPN further including an inbound security database having a database of tunnels configured to provide said inbound VPN processor with tunnel information used to decrypt and decapsulate said at least one cipher text data packet, said VPN further including protocol instructions having microcodes configured to instruct said VPN processor to decrypt and decapsulate said at least one cipher text data packet according to a user-defined security procedure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures Assets 3 LLC (Intellectual Ventures LLC)
Original Assignee
O2 Micro International Limited (O2 Micro Incorporated)
Inventors
Chen, Jyshyang
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
PATEL, NIRAV B

Application Number

US10/658,561
Publication Number

US 20060174336A1
Time in Patent Office

2,213 Days
Field of Search

726 11- 15, 726 2- 5, 713150-154, 713/168, 713/182, 713/170, 709223-225, 709/230, 709/238, 709/227, 709/229, 370/229, 370/278
US Class Current

726/11
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/0853   using an additional device,...

H04L 63/104   Grouping of entities

H04L 63/145   the attack involving the pr...

H04L 63/16   Implementing security featu...

VPN and firewall integrated system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

VPN and firewall integrated system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links