Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device

US 7,779,459 B2
Filed: 10/09/2007
Issued: 08/17/2010
Est. Priority Date: 09/28/2001
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. In a network device, a method comprising:

receiving a packet via a network that includes a plurality of distinct security domains;

determining whether the packet is to remain within a first one of the distinct security domains or pass between two of the distinct security domains;

performing, based on a first determination that the packet is to pass between the two distinct security domains security, security screening on the packet before routing the screened packet to an egress port of the network device for forwarding on the network; and

routing, based on a second determination that the packet is to remain within the first distinct security domain, the packet to an egress port of the network device for forwarding on the network without performing the security screening on the packet.

View all claims

0 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.

37 Citations

View as Search Results

23 Claims

1. In a network device, a method comprising:
- receiving a packet via a network that includes a plurality of distinct security domains;
  
  determining whether the packet is to remain within a first one of the distinct security domains or pass between two of the distinct security domains;
  
  performing, based on a first determination that the packet is to pass between the two distinct security domains security, security screening on the packet before routing the screened packet to an egress port of the network device for forwarding on the network; and
  
  routing, based on a second determination that the packet is to remain within the first distinct security domain, the packet to an egress port of the network device for forwarding on the network without performing the security screening on the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, where performing the security screening comprises:
    - enforcing at least one security constraint with respect to the screened packet.
  - 3. The method of claim 2, where the enforcing the at least one security constraint comprises at least one of applying a security policy, performing traffic management, or performing a filtering function.
  - 4. The method of claim 2, where the enforcing the at least one security constraint comprises at least two of applying a security policy, performing traffic management, or performing a filtering function.
  - 5. The method of claim 2, where the enforcing the at least one security constraint comprises applying a security policy, performing traffic management, and performing a filtering function.
  - 6. The method of claim 1, further comprising:
    - creating, at the network device, the plurality of distinct security domains.
  - 7. The method of claim 6, where the creating comprises specifying policies and other criteria for defining and managing each of the plurality of distinct security domains.
  - 8. The method of claim 6, where operating parameters associated with each of the plurality of distinct security domains are not made known to users associated with the plurality of distinct security domains.
  - 9. The method of claim 1, where operating parameters associated with each of the plurality of distinct security domains are defined by users associated with each of the plurality of distinct security domains.
  - 10. The method of claim 1, where the determining whether the packet is to remain within the first distinct security domain or pass between the two distinct security domains comprises:
    - comparing a security domain identifier associated with an ingress port on which the packet was received to a security domain associated with an egress port on which the packet is to be forwarded.
  - 11. The method of claim 1, where the determining whether the packet is to remain within the first distinct security domain or pass between the two distinct security domains comprises:
    - identifying a security domain indicator in the packet.

12. A network device comprising:
- an ingress port to receive a packet via a network that includes a plurality of distinct security domains;
  
  a controller to determine whether the network device is to transfer the packet within a first one of the distinct security domains or between two of the distinct security domains;
  
  a security device to perform security screening, based on a first determination that the packet is to be forwarded between the two distinct security domains security, on the packet before routing the packet to an egress port of the network device for forwarding on the network; and
  
  an engine to route the packet, based on a second determination that the packet is to be forwarded within the first distinct security domain, to an egress port of the network device for forwarding on the network without performing the security screening on the packet.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The network device of claim 12, where the security device is configured to enforce at least one security constraint with respect to the packet.
  - 14. The network device of claim 13, where the enforcing the at least one security constraint comprises at least one of applying a security policy, performing traffic management, or performing a filtering function.
  - 15. The network device of claim 13, where the enforcing the at least one security constraint comprises at least two of applying a security policy, performing traffic management, or a filtering function.
  - 16. The network device of claim 13, where the enforcing the at least one security constraint comprises applying a security policy, performing traffic management, and performing a filtering function.
  - 17. The network device of claim 12, further comprising:
    - a user interface to be used to create the plurality of distinct security domains.
  - 18. The network device of claim 17, where creating the plurality of distinct security domains comprises specifying policies and other criteria for defining and managing each of the plurality of distinct security domains.
  - 19. The network device of claim 17, where operating parameters associated with each of the plurality of distinct security domains are not made known to users associated with the plurality of distinct security domains.
  - 20. The network device of claim 12, where operating parameters associated with each of the plurality of distinct security domains are defined by users associated with each of the plurality of distinct security domains.
  - 21. The network device of claim 12, where the controller is configured to determine whether the network device is to transfer the packet within the first distinct security domain or between the two distinct security domains comprises by comparing a security domain identifier associated with an ingress port on which the packet was received to a security domain associated with an egress port on which the packet is to be forwarded.
  - 22. The network device of claim 12, where the controller is configured to determine whether the network device is to transfer the packet within the first distinct security domain or between the two distinct security domains comprises by identifying a security domain indicator in the packet.

23. A system comprising:
- one or more devices comprising;
  
  means for receiving a packet via a network that includes a plurality of distinct security domains;
  
  means for determining whether the packet is to be forwarded over the network within a first one of the distinct security domains or between two of the distinct security domains;
  
  means for performing security screening on the packet based on a first determination that the packet is to be forwarded between the two distinct security domains security;
  
  means for forwarding the screened packet on the network or dropping the packet based on the security screening; and
  
  means for forwarding the packet on the network without performing the security screening on the packet based on a second determination that the packet is to be forwarded within the first distinct security domain.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Huang, Guangsong, Cheung, Lee Chik, Mao, Yu Ming, Lian, Roger Jia-Jyi
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US11/869,287
Publication Number

US 20080034414A1
Time in Patent Office

1,043 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/04   for providing a confidentia...

H04L 63/102   Entity profiles

H04L 63/162   at the data link layer

Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device

First Claim

0 Assignments

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

37 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device

First Claim

0 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

37 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others