Integrated data flow packet admission and traffic management apparatus
First Claim
Patent Images
1. An integrated data flow packet admission and traffic management apparatus deployed between a local area network and a wide area network, the apparatus comprising:
- a non-statutory machine readable storage, digital electronic circuitry, and processors;
a security engine, the security engine coupled to, a traffic management engine, both the security engine and the traffic management engine coupled to a policy table, and the traffic management engine further coupled to a network interface;
the security engine comprising a classification component coupled to the network interface, whereby classification is only performed once; and
the classification component coupled to the traffic management engine;
a connection table coupled to the classification component, wherein said connection table comprises an information store of data to match an incoming packet with an extant admitted connection, and wherein the security engine comprises a data flow identification logic circuit, wherein a data flow is one of an extant admitted connection or a new connection, wherein said data flow identification logic circuit identifies a first packet of a new connection, and causes a drop or deny directive to said first packet of a new connection when an additional admission of said new connection to the connection table would exceed available bandwidth.
12 Assignments
0 Petitions
Accused Products
Abstract
There are methods and apparatus, including computer program products, for defining a policy including a set of rules for a packet forwarding device by receiving information sufficient to enable a first rule related to one of security or traffic management to be defined, and based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined.
34 Citations
9 Claims
-
1. An integrated data flow packet admission and traffic management apparatus deployed between a local area network and a wide area network, the apparatus comprising:
-
a non-statutory machine readable storage, digital electronic circuitry, and processors; a security engine, the security engine coupled to, a traffic management engine, both the security engine and the traffic management engine coupled to a policy table, and the traffic management engine further coupled to a network interface; the security engine comprising a classification component coupled to the network interface, whereby classification is only performed once; and the classification component coupled to the traffic management engine; a connection table coupled to the classification component, wherein said connection table comprises an information store of data to match an incoming packet with an extant admitted connection, and wherein the security engine comprises a data flow identification logic circuit, wherein a data flow is one of an extant admitted connection or a new connection, wherein said data flow identification logic circuit identifies a first packet of a new connection, and causes a drop or deny directive to said first packet of a new connection when an additional admission of said new connection to the connection table would exceed available bandwidth. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An integrated data flow packet admission and traffic management apparatus comprising:
-
a non-statutory machine readable storage, digital electronic circuitry, and processors; a security engine, the security engine coupled to a connection table, the security engine further coupled to a policy table; wherein the security engine comprises a classification component, said classification component coupled to at least one application layer gateway logic component, and said application layer gateway logic component coupled to an admission control logic component, said admission control logic component coupled to a traffic management engine; wherein the admission control logic component determines an accept, a deny, or a drop directive for a packet based on a class of data flows with which the packet is associated and further tags the packet with a class identifier for an existing data flow; and
wherein each application layer gateway logic component comprises a protocol specific component, which reserves a specific port or port range to support a specific protocol for a duration of a protocol session, and closes the reserved port or port range upon termination of the protocol session, whereby services which would fail when traversing a network address translation component are sustained. - View Dependent Claims (7, 8, 9)
-
Specification