Firewall including local bus

US 7,784,093 B2
Filed: 02/29/2008
Issued: 08/24/2010
Est. Priority Date: 04/01/1999
Status: Active Grant

First Claim

Patent Images

1. A network device comprising:

a first memory to store packets received at the network device;

a controller to transfer the packets to the first memory via a first bus;

a processor including a plurality of processing units and a second memory to store a first plurality of rules; and

a third memory to store a second plurality of rules,where the processor is to;

retrieve a first one of the packets from the first memory via the first bus or a second bus,inspect the first packet to identify a set of rules associated with the first packet,match ones of the identified set of rules to ones of the first plurality of rules, andmatch at least one other one of the identified set of rules to at least one of the second plurality of rules, andwhere at least one of the processing units processes the first packet using the matched ones of the identified set of rules and the matched at least one other one of the identified set of rules.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine coupled to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy.

56 Citations

View as Search Results

20 Claims

1. A network device comprising:
- a first memory to store packets received at the network device;
  
  a controller to transfer the packets to the first memory via a first bus;
  
  a processor including a plurality of processing units and a second memory to store a first plurality of rules; and
  
  a third memory to store a second plurality of rules,where the processor is to;
  
  retrieve a first one of the packets from the first memory via the first bus or a second bus,inspect the first packet to identify a set of rules associated with the first packet,match ones of the identified set of rules to ones of the first plurality of rules, andmatch at least one other one of the identified set of rules to at least one of the second plurality of rules, andwhere at least one of the processing units processes the first packet using the matched ones of the identified set of rules and the matched at least one other one of the identified set of rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The network device of claim 1, where the processor is to match the ones of the identified set of rules to the ones of the first plurality of rules without accessing either of the first or second buses.
  - 3. The network device of claim 1, where the processor is to match the at least one other one of the identified set of rules to the at least one of the second plurality of rules using the second bus.
  - 4. The network device of claim 3, where the controller is to transfer other ones of the packets to the first memory via the first bus concurrently with the processor'"'"'s matching the at least one other one of the identified set of rules to the at least one of the second plurality of rules.
  - 5. The network device of claim 1, where the processor is to retrieve another one of the packets from the first memory via the second bus concurrently with the matching the at least one other one of the identified set of rules to the at least one of the second plurality of rules.
  - 6. The network device of claim 1, where the matched ones of the identified set of rules include a first type of rule and a second type of rule, and the matched at least one other one of the identified set of rules includes the first type of rule and not the second type of rule.
  - 7. The network device of claim 6, where the second type of rule comprises a pointer that points to the matched at least one other one of the identified set of rules.
  - 8. The network device of claim 1, where the processor further comprises a buffer, and the at least one processing unit is to generate a partial processing result for the first packet using the matched ones of the identified set of rules before the matching at least one other one of the identified set of rules is completed, and the buffer stores the partial processing result.
  - 9. The network device of claim 8, where the at least one processing unit is to generate a complete processing result for the first packet using the stored partial processing result and the matched at least one other one of the identified set of rules.
  - 10. The network device of claim 1, where the processor is to match the ones of the identified set of rules to the ones of the first plurality of rules before matching the at least one other one of the identified set of rules to the at least one of the second plurality of rules.
  - 11. The network device of claim 1, where the at least one processing unit processes the first packet by performing a plurality of security-related packet processing operations on the first packet.
  - 12. The network device of claim 11, where the plurality of security-related packet processing operations comprise at least two of authentication, encryption, decryption, virtual private network (VPN), or firewall services.
  - 13. The network device of claim 12, where the at least two security-related packet processing operations are performed in parallel.
  - 14. The network device of claim 12, where a first one of the at least two security-related packet processing operations is initiated within a plurality of clock cycles following an initiation and without interruption by a second one of the at least two security-related packet processing operations.
  - 15. The network device of claim 11, where the plurality of security-related packet processing operations comprise at least two of data encryption standard (DES) encryption, message digest 5 (MD5) authentication, triple DES encryption, or secure hash algorithm (SHA1) authentication.
  - 16. The network device of claim 15, where two or more of the at least two security-related packet processing operations are performed in parallel.

17. A method performed in communication system, the method comprising:
- storing, in a first memory of the communication system, packets received at the communication system;
  
  transferring, by a controller of the communication system and via a first bus, the packets to the first memory;
  
  storing, in a second memory of the communication system, a first plurality of rules;
  
  storing, in a third memory of the communication system, a second plurality of rules; and
  
  retrieving, by a processor of the communication system and via the first bus or a second bus, a first one of the packets from the first memory,inspecting, by the processor, the first packet to identify a set of rules associated with the first packet,matching, by the processor, ones of the identified set of rules to ones of the first plurality of rules,matching, by the processor, at least one other one of the identified set of rules to at least one of the second plurality of rules, andprocessing, by the processor, the first packet using the matched ones of the identified set of rules and the matched at least one other one of the identified set of rules.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, where the matched ones of the identified set of rules include a first type of rule and a second type of rule, and the matched at least one other one of the identified set of rules includes the first type of rule and not the second type of rule.
  - 19. The method of claim 17, where the second type of rule comprises a pointer that points to the matched at least one other one of the identified set of rules.
  - 20. The method of claim 17, further comprising buffering a partial processing result for the first packet, where the partial processing result is based on the matched ones of the identified set of rules and not the matched at least one other one of the identified set of rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Luo, Dongping, Deng, Feng, Ke, Yan
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
POLTORAK, PIOTR

Application Number

US12/040,006
Publication Number

US 20080209540A1
Time in Patent Office

907 Days
Field of Search

726/1, 726 11- 15
US Class Current

726/11
CPC Class Codes

H04L 49/90   Buffering arrangements

H04L 49/901   using storage descriptor, e...

H04L 49/9057   Arrangements for supporting...

H04L 63/02   for separating internal fro...

H04L 69/16   Implementation or adaptatio...

H04L 69/22   Parsing or analysis of headers

H04L 9/40   Network security protocols

Firewall including local bus

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall including local bus

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links