Intelligent integrated network security device

US 7,650,634 B2
Filed: 03/28/2003
Issued: 01/19/2010
Est. Priority Date: 02/08/2002
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method for inspecting data packets associated with a flow in a computer network, the computer network including two or more security devices for processing the data packets, each data packet having associated header data, the method comprising:

receiving the data packet;

examining the data packet;

determining a single flow record associated with the data packet, where the determining includes;

determining a packet identifier using at least the associated header data;

evaluating a flow table for a matching flow record entry using the packet identifier;

when there is a matching flow record entry, retrieving the matching flow record;

when there is no matching flow record entry, creating a new flow record; and

storing the new flow record in the flow table;

extracting flow instructions, a session ID and flow information, for the two or more security devices, from the single flow record and forwarding the flow instructions, the session ID and the flow information to the respective ones of the two or more security devices to facilitate processing of the data packet;

receiving, from each of the two or more security devices, evaluation information, the evaluation information being generated by a respective one of the two or more security devices when processing the data packet; and

processing the data packet using the evaluation information.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.

101 Citations

View as Search Results

41 Claims

1. A method for inspecting data packets associated with a flow in a computer network, the computer network including two or more security devices for processing the data packets, each data packet having associated header data, the method comprising:
- receiving the data packet;
  
  examining the data packet;
  
  determining a single flow record associated with the data packet, where the determining includes;
  
  determining a packet identifier using at least the associated header data;
  
  evaluating a flow table for a matching flow record entry using the packet identifier;
  
  when there is a matching flow record entry, retrieving the matching flow record;
  
  when there is no matching flow record entry, creating a new flow record; and
  
  storing the new flow record in the flow table;
  
  extracting flow instructions, a session ID and flow information, for the two or more security devices, from the single flow record and forwarding the flow instructions, the session ID and the flow information to the respective ones of the two or more security devices to facilitate processing of the data packet;
  
  receiving, from each of the two or more security devices, evaluation information, the evaluation information being generated by a respective one of the two or more security devices when processing the data packet; and
  
  processing the data packet using the evaluation information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, where the two or more security devices are included in one of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router.
  - 3. The method of claim 1, where examining the data packet includes inspecting the associated header data to determine if the data packet should be forwarded.
  - 4. The method of claim 1, where determining the single flow record associated with the data packet includes locating a flow record using the associated header data.
  - 5. The method of claim 1, where the extracting flow instructions for the two or more security devices from the single flow record includes obtaining information for locating the data packet in memory and information providing a relative position of the data packet within the flow.
  - 6. The method of claim 1, where creating the new flow record includes:
    - creating a new session ID;
      
      retrieving device specific flow information associated with the data packet from the two or more security devices; and
      
      associating the new session ID and the device specific flow information with the new flow record.
  - 7. The method of claim 6, further comprising using the device specific flow information to create instructions for each of the two or more security devices for processing the packet.
  - 8. The method of claim 6, further comprising storing security device specific flow information for each of the two or more security devices along with the new session ID in the single flow record.
  - 9. The method of claim 1, further comprising processing the data packet in each of the two or more security devices using the extracted flow instructions.
  - 10. The method of claim 1, where processing the data packet includes one or more of forwarding, dropping, modifying, logging or storing the data packet.
  - 11. The method of claim 1, where processing the data packet includes determining if the data packet is to be forwarded.
  - 12. The method of claim 1, where the single flow record includes policy information for at least one of the two or more security devices.
  - 13. The method of claim 1, where the single flow record includes a firewall policy and an intrusion prevention system policy.
  - 14. The method of claim 1, where the single flow record includes encryption parameters for use by one of the two or more security devices.
  - 15. The method of claim 1, where the single flow record includes address translation parameters.
  - 16. The method of claim 1, where the single flow record includes bookkeeping or statistics information.
  - 17. The method of claim 1, where the single flow record includes information describing which policies to apply to a given flow for use by one or more of the two or more security devices.
  - 18. The method of claim 1, where the single flow record includes policy information for use by the two or more security devices in processing the data packet.

19. A computer-readable memory device incorporating instructions for inspecting data packets associated with a flow in a computer network, the computer network including two or more security devices for processing data packets, each data packet having associated header data, the instructions to:
- receive the data packet;
  
  examine the data packet;
  
  determine a single flow record associated with the data packet, where the instruction to determine the single flow packet include instructions to;
  
  determine a packet identifier using at least the associated header data;
  
  evaluate a flow table for a matching flow record entry using the packet identifier;
  
  retrieve a matching flow record when there is a matching flow record entry; and
  
  create a new flow record when there is no matching flow record entry, where the new flow record is stored in the flow record table;
  
  extract flow instructions, a session ID and flow information, for the two or more security devices, from the single flow record and forward the flow instructions, the session ID and the flow information to the respective ones of the two or more security devices to facilitate processing of the data packet;
  
  receive, from each of the two or more security devices, evaluation information, the evaluation information being generated by a respective one of the two or more security devices when processing the data packet; and
  
  processing the data packet using the evaluation information.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The computer-readable memory device of claim 19, where the two or more security devices are included in one of an intrusion detection system, an intrusion prevention system, a firewall or a flow-based router.
  - 21. The computer-readable memory device of claim 19, where instructions to examine the data packet further include instructions to inspect the associated header data to determine if the data packet should be forwarded.
  - 22. The computer-readable memory device of claim 19, where instructions to determine the single flow record associated with the data packet further include instructions to locate a flow record using the associated header data.
  - 23. The computer-readable memory device of claim 19, where instructions to extract flow instructions for the two or more security devices from the single flow record further include instructions to obtain information for locating the data packet in memory and information providing a relative position of the data packet within the flow.
  - 24. The computer-readable memory device of claim 19, where instructions to create the new flow record include instructions to:
    - create a new session ID;
      
      retrieve device specific flow information associated with the data packet from the two or more security devices; and
      
      associate the new session ID and the device specific flow information with the new flow record.
  - 25. The computer-readable memory device of claim 24, further comprising instructions to use the device specific flow information to create instructions for each of the two or more security devices for processing the data packet.
  - 26. The computer-readable memory device of claim 24, the computer-readable memory device further comprising instructions to store security device specific flow information for each of the two or more security devices along with the new session ID in the single flow record.
  - 27. The computer-readable memory device of claim 19, further comprising instructions to process the data packet in each of the two or more security devices using the extracted flow instructions.
  - 28. The computer-readable memory device of claim 19, where instructions to process the data packet include one or more instructions to forward, drop, log or store the data packet.
  - 29. The computer-readable memory device of claim 19, where instructions to process the data packet include instructions to determine if the data packet is to be forwarded.
  - 30. The computer-readable memory device of claim 19, where the single flow record includes policy information for at least one of the two or more security devices.
  - 31. The computer-readable memory device of claim 19, where the single flow record includes a firewall policy and an intrusion prevention system policy.
  - 32. The computer-readable memory device of claim 19, where the single flow record includes encryption parameters for use by the two or more security devices.
  - 33. The computer-readable memory device of claim 19, where the single flow record includes address translation parameters.
  - 34. The computer-readable memory device of claim 19, where the single flow record includes bookkeeping or statistics information.
  - 35. The computer-readable memory device of claim 19, where the single flow record includes information describing which policies to apply to a given flow for use by one or more of the two or more security devices.
  - 36. The computer-readable memory device of claim 19, where the single flow record includes policy information for use by two or more security devices in processing the data packet.

37. An apparatus for processing data packets, having associated header data, comprising:
- a session module to determine flow information for each received data packet and evaluate a packet identifier, associated with the header data, identifying a particular flow associated with a given data packet;
  
  a flow table that includes flow records for each flow having information determined by the session module, each flow record including flow information for a plurality of security devices coupled to the apparatus,where the session module is further to;
  
  to locate a flow record, in the flow table, associated with the identified particular flow and retrieve the located flow record;
  
  transmit device specific flow information, including flow instructions associated with the located flow record, a session ID associated with the located flow record and flow information associated with the located flow record, to each of the plurality of security devices via communication interfaces;
  
  receive, from each of the plurality of security devices, evaluation information, the evaluation information being generated by a respective one of the plurality of security devices in processing the data packets; and
  
  process the data packets using the evaluation information.
- View Dependent Claims (38, 39, 40, 41)
- - 38. The apparatus of claim 37, where the session module is further to process the given data packet by one of dropping, logging, storing, or forwarding the given data packet.
  - 39. The apparatus of claim 37, where the flow table includes an index key and the device specific flow information for the plurality of security devices.
  - 40. The apparatus of claim 37, where the plurality of security devices are included in one of a firewall, a flow-based router, an intrusion detection system, or an intrusion prevention system.
  - 41. The apparatus of claim 37, where the flow table includes one or more flow records that include policy information for use by the plurality of security devices in processing the data packets.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zuk, Nir
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
Reza; Mohammad W

Application Number

US10/402,920
Publication Number

US 20040030927A1
Time in Patent Office

2,489 Days
Field of Search

713/189, 713/152, 713/161, 726/13, 709/226
US Class Current

726/13
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 69/22   Parsing or analysis of headers

Intelligent integrated network security device

First Claim

2 Assignments

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

101 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Intelligent integrated network security device

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

101 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links