Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device
DCFirst Claim
Patent Images
1. In a network device, a method comprising:
- receiving a packet via a network that includes a plurality of distinct security domains;
determining whether the packet is to remain within a first one of the distinct security domains or pass between two of the distinct security domains;
performing, based on a first determination that the packet is to pass between the two distinct security domains security, security screening on the packet before routing the screened packet to an egress port of the network device for forwarding on the network; and
routing, based on a second determination that the packet is to remain within the first distinct security domain, the packet to an egress port of the network device for forwarding on the network without performing the security screening on the packet.
0 Assignments
Litigations
0 Petitions
Reexamination
Accused Products
Abstract
Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.
37 Citations
23 Claims
-
1. In a network device, a method comprising:
-
receiving a packet via a network that includes a plurality of distinct security domains; determining whether the packet is to remain within a first one of the distinct security domains or pass between two of the distinct security domains; performing, based on a first determination that the packet is to pass between the two distinct security domains security, security screening on the packet before routing the screened packet to an egress port of the network device for forwarding on the network; and routing, based on a second determination that the packet is to remain within the first distinct security domain, the packet to an egress port of the network device for forwarding on the network without performing the security screening on the packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A network device comprising:
-
an ingress port to receive a packet via a network that includes a plurality of distinct security domains; a controller to determine whether the network device is to transfer the packet within a first one of the distinct security domains or between two of the distinct security domains; a security device to perform security screening, based on a first determination that the packet is to be forwarded between the two distinct security domains security, on the packet before routing the packet to an egress port of the network device for forwarding on the network; and an engine to route the packet, based on a second determination that the packet is to be forwarded within the first distinct security domain, to an egress port of the network device for forwarding on the network without performing the security screening on the packet. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A system comprising:
one or more devices comprising; means for receiving a packet via a network that includes a plurality of distinct security domains; means for determining whether the packet is to be forwarded over the network within a first one of the distinct security domains or between two of the distinct security domains; means for performing security screening on the packet based on a first determination that the packet is to be forwarded between the two distinct security domains security; means for forwarding the screened packet on the network or dropping the packet based on the security screening; and means for forwarding the packet on the network without performing the security screening on the packet based on a second determination that the packet is to be forwarded within the first distinct security domain.
Specification