VPN and firewall integrated system
First Claim
Patent Images
1. An integrated firewall/VPN system, comprising:
- at least one wide area network (WAN);
at least one local area network (LAN); and
an integrated firewall/VPN chipset configured to send and receive data packets between said WAN and said LAN, said chipset comprising;
a firewall comprising a first layer including a header match packet filtering engine configured to provide pattern matching in selected headers of data, a second layer including a contents match packet filtering engine configured to analyze the scope of at least one data packet, a third layer including at least one application proxy configured to provide additional pattern matching using a hardware engine configured to provide pre-analysis processing to reduce the workload of a central processing unit (CPU) and a fourth layer including a session match engine configured to store a TCP/UDP connection setup in a look-up-table and to forward the setup progress to said CPU for tracking;
a VPN configured to provide security functions for data between said LAN and said WAN, wherein said security functions are selected from the group consisting of encryption, decryption, encapsulation, and decapsulation of said data packets, said VPN including a VPN packet buffer configured to receive at least one of said data packets and to forward said at least one data packet to an inbound VPN processor configured to decrypt and decapsulate said at least one data packet, said VPN further including an inbound security database having a database of tunnels configured to provide said inbound VPN processor with tunnel information used to decrypt and decapsulate said at least one data packet, said VPN further including protocol instructions having microcodes configured to instruct said VPN processor to decrypt and decapsulate said at least one data packet according to a user-defined security procedure; and
an interface configured to determine if said data packets are plain text or cipher text, said interface further configured to forward a preselected number of bytes to said firewall if said data packets are plain text, said interface further configured to forward said data packets to said VPN if said data packets are cipher text.
4 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides an integrated VPN/firewall system that uses bath hardware (firmware) and software to optimize the efficiency of both VPN and firewall functions. The hardware portions of the VPN and firewall are designed in flexible and scalable layers to permit high-speed processing without sacrificing system security. The software portions are adapted to provide interfacing with hardware components, report and rules management control.
-
Citations
14 Claims
-
1. An integrated firewall/VPN system, comprising:
-
at least one wide area network (WAN); at least one local area network (LAN); and an integrated firewall/VPN chipset configured to send and receive data packets between said WAN and said LAN, said chipset comprising; a firewall comprising a first layer including a header match packet filtering engine configured to provide pattern matching in selected headers of data, a second layer including a contents match packet filtering engine configured to analyze the scope of at least one data packet, a third layer including at least one application proxy configured to provide additional pattern matching using a hardware engine configured to provide pre-analysis processing to reduce the workload of a central processing unit (CPU) and a fourth layer including a session match engine configured to store a TCP/UDP connection setup in a look-up-table and to forward the setup progress to said CPU for tracking; a VPN configured to provide security functions for data between said LAN and said WAN, wherein said security functions are selected from the group consisting of encryption, decryption, encapsulation, and decapsulation of said data packets, said VPN including a VPN packet buffer configured to receive at least one of said data packets and to forward said at least one data packet to an inbound VPN processor configured to decrypt and decapsulate said at least one data packet, said VPN further including an inbound security database having a database of tunnels configured to provide said inbound VPN processor with tunnel information used to decrypt and decapsulate said at least one data packet, said VPN further including protocol instructions having microcodes configured to instruct said VPN processor to decrypt and decapsulate said at least one data packet according to a user-defined security procedure; and an interface configured to determine if said data packets are plain text or cipher text, said interface further configured to forward a preselected number of bytes to said firewall if said data packets are plain text, said interface further configured to forward said data packets to said VPN if said data packets are cipher text. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A firewall/VPN integrated circuit (IC), comprising:
-
a router core configured to interface between at least one untrusted network and at least one trusted network to send and receive data packets between said untrusted and said trusted networks; a firewall system, comprising a first layer including a header match packet filtering engine configured to provide pattern matching in selected headers of data, a second layer including a contents match packet filtering engine configured to analyze the scope of at least one data packet, a third layer including at least one application proxy configured to provide additional pattern matching using a hardware engine configured to provide pre-analysis processing to reduce the workload of a central processing unit (CPU) and a fourth layer including a session match engine configured to store a TCP/UDP connection setup in a look-up-table and to forward the setup progress to said CPU for tracking; a VPN configured to provide security functions for data between said at least one untrusted and said at least one trusted network, wherein said security functions comprise encryption, decryption, encapsulation, and decapsulation of said data packets, said VPN including a VPN packet buffer configured to receive at least one of said data packets and to forward said at least one data packet to an inbound VPN processor configured to decrypt and decapsulate said at least one data packet, said VPN further including an inbound security database having a database of tunnels configured to provide said inbound VPN processor with tunnel information used to decrypt and decapsulate said at least one data packet, said VPN further including protocol instructions having microcodes configured to instruct said VPN processor to decrypt and decapsulate said at least one data packet according to a user-defined security procedure; and an interface configured to determine if said data packets are plain text or cipher text, said interface further configured to forward a preselected number of bytes to said firewall if said data packets are plain text, said interface further configured to forward said data packets to said VPN if said data packets are cipher text. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method of providing firewall access control functions, comprising the steps of;
-
defining one or more access control protocols; receiving a data packet at an interface and determining if said data packet is plain text or cipher text, and forwarding a preselected number of bytes to a firewall system if said data packets includes plain text and forwarding said data packets to a VPN if said data packet includes cipher text; selecting a certain number of bytes of said data packet if said data packet includes plain text; processing said selected bytes using said access control protocols via said firewall system, said firewall system comprising a first layer including a header match packet filtering engine configured to provide pattern matching in selected headers of data, a second layer including a contents match packet filtering engine configured to analyze the scope of said data packet, a third layer including at least one application proxy configured to provide additional pattern matching using a hardware engine configured to provide pre-analysis processing to reduce the workload of a central processing unit (CPU) and a fourth layer including a session match engine configured to store a TCP/UDP connection setup in a look-up-table and to forward the setup progress to said CPU for tracking; and receiving at least one cipher text data packet at a VPN configured to provide security functions for data between said LAN and said WAN, wherein said security functions are selected from the group consisting of encryption, decryption, encapsulation, and decapsulation of said at least one cipher text data packet, said VPN including a VPN packet buffer configured to receive said at least one cipher text data packet and to forward said at least one cipher text data packet to an inbound VPN processor configured to decrypt and decapsulate said at least one cipher text data packet, said VPN further including an inbound security database having a database of tunnels configured to provide said inbound VPN processor with tunnel information used to decrypt and decapsulate said at least one cipher text data packet, said VPN further including protocol instructions having microcodes configured to instruct said VPN processor to decrypt and decapsulate said at least one cipher text data packet according to a user-defined security procedure.
-
Specification