Intelligent integrated network security device for high-availability applications

US 7,734,752 B2
Filed: 10/12/2004
Issued: 06/08/2010
Est. Priority Date: 02/08/2002
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method in a computer network, comprising:

processing packets, by a primary security system, the primary security system including a first device-implemented session module to maintain flow information for the primary security system to facilitate processing of the packets, where the first device-implemented session module includes a first flow table having a primary portion that stores information associated with the operation of the first device-implemented session module, when the primary security system is functioning in a primary security system mode, and a secondary portion that stores information associated with the operation of the first device-implemented session module, when the primary security system is functioning in a failover mode;

designating a secondary security system for processing packets upon a failover event, the secondary security system including a second device-implemented session module to maintain flow information for the secondary security system to facilitate processing of the packets, where the second device-implemented session module includes a second flow table having a primary portion that stores information associated with the operation of the second device-implemented session module, when the secondary security system is functioning in a primary security system mode, and a secondary portion that stores information associated with the operation of the second device-implemented session module, when the secondary security system is functioning in a failover mode;

sharing flow records from the primary security system with the secondary security system;

sharing flow records from the secondary security system with the primary security system;

using the primary security system to provide failover support for the secondary security system, based on the information stored in the secondary portion of the first flow table; and

using the secondary security system to provide failover support for the primary security system, based on the information stored in the secondary portion of the second flow table.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

Methods and apparatuses for inspecting packets are provided. A primary security system may be configured for processing packets. The primary security system may be operable to maintain flow information for a group of devices to facilitate processing of the packets. A secondary security system may be designated for processing packets upon a failover event. Flow records may be shared from the primary security system with the secondary security system.

Citations

23 Claims

1. A method in a computer network, comprising:
- processing packets, by a primary security system, the primary security system including a first device-implemented session module to maintain flow information for the primary security system to facilitate processing of the packets, where the first device-implemented session module includes a first flow table having a primary portion that stores information associated with the operation of the first device-implemented session module, when the primary security system is functioning in a primary security system mode, and a secondary portion that stores information associated with the operation of the first device-implemented session module, when the primary security system is functioning in a failover mode;
  
  designating a secondary security system for processing packets upon a failover event, the secondary security system including a second device-implemented session module to maintain flow information for the secondary security system to facilitate processing of the packets, where the second device-implemented session module includes a second flow table having a primary portion that stores information associated with the operation of the second device-implemented session module, when the secondary security system is functioning in a primary security system mode, and a secondary portion that stores information associated with the operation of the second device-implemented session module, when the secondary security system is functioning in a failover mode;
  
  sharing flow records from the primary security system with the secondary security system;
  
  sharing flow records from the secondary security system with the primary security system;
  
  using the primary security system to provide failover support for the secondary security system, based on the information stored in the secondary portion of the first flow table; and
  
  using the secondary security system to provide failover support for the primary security system, based on the information stored in the secondary portion of the second flow table.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - determining whether the failover event occurred; and
      
      processing a packet by one of the primary security system or the secondary security system for the other one of the primary security system or the secondary security system when the failover event occurs.
  - 3. The method of claim 1, where the failover event includes the failure of one of the primary security system or the secondary security system.
  - 4. The method of claim 1, where the failover event includes a failure of a link from one of the primary security system or the secondary security system to the computer network.
  - 5. The method of claim 2, where the determining is performed at the one of the primary security system or the secondary security system.
  - 6. The method of claim 2, where the determining further comprises:
    - detecting an absence of a keep-alive signal.
  - 7. The method of claim 2, where the determining further comprises:
    - monitoring operation of the one of the primary security system or the secondary security system, andsending a take-over signal to the other one of the primary security system or the secondary security system when the monitoring operation detects a fault.
  - 8. The method of claim 1, where the secondary security system is configured substantially identical to the primary security system.
  - 9. The method of claim 1, where the sharing flow records further comprises:
    - sharing the flow records between the primary security system and the secondary security system at predetermined intervals.
  - 10. The method of claim 1, where the sharing flow records further comprises:
    - sharing the flow records between the primary security system and the secondary security system when a refresh message is received by one of the primary security system or the secondary security system.
  - 11. The method of claim 10, where the one of the primary security system or the secondary security system sends the refresh message when a session is set-up or torn down.
  - 12. The method of claim 1, further comprising:
    - resuming receiving and processing of a packet at one of the primary security system or the secondary security system when a condition that caused the failover event is cleared.

13. A system, comprising:
- a processor-implemented primary security system to process packets, the primary security system including a first device-implemented session module to maintain flow information for the primary security system to facilitate processing of the packets, where the first device-implemented session module includes a first flow table having a primary portion that stores information associated with an operation of the first device-implemented session module, when the primary security system is functioning in a primary security system mode, and a secondary portion that stores information associated with an operation of the first device-implemented session module, when the primary security system is functioning in a failover mode; and
  
  a secondary security system to process packets upon a failover event, the secondary security system including a second device-implemented session module to maintain flow information for the secondary security system to facilitate processing of packets, where the second device-implemented session module includes a second flow table having a primary portion that stores information associated with an operation of the second device-implemented session module, when the secondary security system is functioning in a primary security system mode, and a secondary portion that stores information associated with an operation of the second device-implemented session module, when the secondary security system is functioning in a failover mode,where the primary security system and the secondary security system share flow records, andwhere the primary security system is to provide failover support for the secondary security system, based on the information stored in the secondary portion of the first flow table and the secondary security system is to provide failover support for the primary security system, based on the information stored in the secondary portion of the second flow table.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The system of claim 13, whereone of the primary security system or the secondary security system is to determine if the failover event has occurred, andwhen the failover event is determined to have occurred, one of the primary security system or the secondary security system is to process the packets for the other one of the primary security system or the secondary security system.
  - 15. The system of claim 13, where the failover event includes failure of one of the primary security system or the secondary security system.
  - 16. The system of claim 13, where the failover event includes a failure of a link from one of the primary security system or the secondary security system to a computer network.
  - 17. The system of claim 14, where the one of the primary security system or the secondary security system is to determine if the failover event has occurred by detecting an absence of a keep-alive signal.
  - 18. The system of claim 14, where the one of the primary security system or the secondary security system is to determine if the failover event has occurred by detecting a fault in the one of the primary security system or the secondary security system.
  - 19. The method of claim 13, where the secondary security system is substantially identical to the primary security system.
  - 20. The system of claim 13, where the primary security system and the secondary security share the flow records at predetermined intervals.
  - 21. The system of claim 13, where the primary security system and the secondary security share the flow records when a refresh message is received by one of the primary security system or the secondary security system.
  - 22. The system of claim 21, where the one of the primary security system or the secondary security system sends the refresh message when a session is set-up or torn down.
  - 23. The system of claim 13, where one of the primary security system or the secondary security system resumes receiving and processing of packets when a condition that caused the failover event is cleared.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Mao, Yu Ming, Zuk, Nir, Guruswamy, Kowsik
Primary Examiner(s)
Dharia; Rupal D
Assistant Examiner(s)
HOSSAIN, TANIM M

Application Number

US10/961,075
Publication Number

US 20060005231A1
Time in Patent Office

2,065 Days
Field of Search

709/205, 709/223, 714/11
US Class Current

709/223
CPC Class Codes

G06F 11/2002   where interconnections or c...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0428   wherein the data content is...

H04L 63/1416   Event detection, e.g. attac...

H04L 69/40   for recovering from a failu...

H04L 9/40   Network security protocols

Intelligent integrated network security device for high-availability applications

First Claim

1 Assignment

Litigations

1 Petition

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Intelligent integrated network security device for high-availability applications

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links