Stateful firewall protection for control plane traffic within a network device

US 8,020,200 B1
Filed: 06/01/2009
Issued: 09/13/2011
Est. Priority Date: 08/11/2004
Status: Active Grant

First Claim

Patent Images

1. A method for processing packets within a network device having a forwarding component, a routing component and a firewall component, the method comprising:

receiving control plane packets and data plane packets with the forwarding component of a network device, wherein the control plane packets are packets destined for a routing component within the network device and which specify a network address of the routing component, and wherein the data plane packets are packets received by the network device that are destined for devices external to the network device;

forwarding the control plane packets from the forwarding component to the firewall component within the network device prior to forwarding the control plane packets from the firewall component to the routing component of the network device, wherein the firewall component is physically separate from the forwarding component and the routing component and electrically coupled to the forwarding component and the routing component; and

processing the control plane packets with the physically separate firewall component to detect a network attack.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network device receives control plane packets and data plane packets from a network. The network device includes a forwarding component that forwards the data plane packets in accordance with routing information maintained by a routing component. The forwarding component directs the control plane packets to a firewall component that processes the control plane packets to apply firewall services and detect network attacks. After processing, the firewall component loops the control plane packets back to the forwarding components for forwarding to the routing component. The firewall component may be a security service card.

91 Citations

View as Search Results

23 Claims

1. A method for processing packets within a network device having a forwarding component, a routing component and a firewall component, the method comprising:
- receiving control plane packets and data plane packets with the forwarding component of a network device, wherein the control plane packets are packets destined for a routing component within the network device and which specify a network address of the routing component, and wherein the data plane packets are packets received by the network device that are destined for devices external to the network device;
  
  forwarding the control plane packets from the forwarding component to the firewall component within the network device prior to forwarding the control plane packets from the firewall component to the routing component of the network device, wherein the firewall component is physically separate from the forwarding component and the routing component and electrically coupled to the forwarding component and the routing component; and
  
  processing the control plane packets with the physically separate firewall component to detect a network attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein receiving control plane packets and data plane packets comprises receiving the control plane packets and data plane packets with the forwarding component coupled to one or more physical interface cards.
  - 3. The method of claim 2,wherein the firewall component comprises a service card that provides an operating environment for firewall software, andwherein forwarding the control plane packets comprises forwarding the control plane packets from the forwarding component to the service card for processing by the firewall software.
  - 4. The method of claim 3, further comprising forwarding the control plane packets from the service card to the routing component after processing the control plane packets with the firewall software.
  - 5. The method of claim 4,issuing a feedback communication from the physically separate firewall component to the routing component based on the processing of the control plane packets by the physically separate firewall component;
    - wherein issuing a feedback communication comprises issuing a feedback communication from the service card to the routing component based on the processing of the control plane packets by the firewall software.
  - 6. The method of claim 5, further comprising establishing one or more filters with the routing component in response to the feedback communication, wherein at least some of the one or more filters specify which control plane packets are to be directed from the forwarding component to the routing component.
  - 7. The method of claim 1, wherein processing the control plane packets comprises performing stateful inspection of the packets to detect a security issue.
  - 8. The method of claim 1, wherein processing the control plane packets comprises performing trend analysis on the control plane packets.
  - 9. The method of claim 1, wherein processing the control plane packets comprises determining whether the control plane packets conform to one or more routing protocols by processing the packets with application level gateways (ALGs) specific to the routing protocols.
  - 10. The method of claim 1, further comprising forwarding the control plane packets to the routing component after processing the control plane packets.
  - 11. The method of claim 1, further comprising:
    - issuing a feedback communication from the physically separate firewall component to the routing component based on the processing of the control plane packets by the physically separate firewall component; and
      
      establishing one or more filters with the routing component in response to the feedback communication.

12. A network device comprising:
- a routing component that maintains routing information in accordance with a topology of the network;
  
  an interface that receives control plane packets and data plane packets from a network, wherein the control plane packets are packets destined for a routing component within the network device and which specify a network address of the routing component, and wherein the data plane packets are packets received by the network device that are destined for devices external to the network device; and
  
  a firewall component that processes the control plane packets to detect a security issue, wherein the firewall component is physically separate from the routing component and a forwarding component of the network device and electrically coupled to the routing component and the forwarding component; and
  
  wherein the forwarding component receives the control plane packets from the interface and directs the control plane packets from the forwarding component to the physically separate firewall component for processing prior to the network device forwarding the control plane packets to the routing component.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The network device of claim 12, wherein the firewall component comprises a service card that provides an operating environment for firewall software, wherein the service card forwards the control plane packets to the routing component after processing the control plane packets with the firewall software.
  - 14. The network device of claim 13, wherein the service card issues a feedback communication to the routing component based on the processing of the control plane packets by the firewall software, wherein the routing component establishes one or more filters in response to the feedback communication, wherein at least some of the one or more filters specify which control plane packets are to be directed from the forwarding component to the routing component.
  - 15. The network device of claim 12, wherein the firewall component comprises a control packet interface that rejects at least a subset of the control plane packets without forwarding the rejected subset to the routing component.
  - 16. The network device of claim 12, wherein the firewall component includes one or more packet analysis modules that perform stateful inspection of the packets to detect the security issue.
  - 17. The network device of claim 12, wherein the firewall component includes a trend analysis module that performs trend analysis on the control plane packets.
  - 18. The network device of claim 12, wherein the firewall component determines whether the control plane packets conform to one or more routing protocols.
  - 19. The network device of claim 12, wherein the firewall component includes one or more application level gateways (ALGs) to perform application level checks on the control plane packets.
  - 20. The network device of claim 12, wherein the forwarding components mirrors the control plane packets to generate a first stream of control plane packets and a second stream of the control plane packets, and forwards the first stream of the control plane packets to the routing component and the second stream of the control plane to the firewall component.
  - 21. The network device of claim 12, further comprising:
    - an interface associated with the routing component,a service card;
      
      wherein the forwarding component redirects the control plane packets to the service card upon determining that the control plane packets are destined for the interface associated with the routing component,wherein the service card receives the control plane packets and loops the control plane packets back to the forwarding component for communication to the routing component; and
      
      wherein the firewall component is applied to the control plane packets as a service upon entering or exiting the service interface card.

22. A non-transitory computer-readable storage medium comprising instructions that cause a processor to:
- receive control plane packets and data plane packets within a forwarding component of a router, wherein the control plane packets are packets destined for a routing component within the network device and which specify a network address of the routing component, and wherein the data plane packets are packets received by the network device that are destined for devices external to the network device;
  
  forward the data plane packets to an output interface in accordance with routing information without processing the data plane packets with firewall software of the network device that is maintained in a firewall component physically separate from and electrically connected to the routing component and forwarding component;
  
  forward the control plane packets from the forwarding component to the physically separate firewall component within the network device prior to forwarding the control plane packets from the physically separate firewall component to the routing component of the network device;
  
  forward the control plane packets from the physically separate firewall component to the routing component after the control plane packets are processed with the firewall software of the physically separate firewall component.
- View Dependent Claims (23)
- - 23. The computer-readable storage medium of claim 22,wherein the physically separate firewall component comprises a service card,wherein the instructions cause the processor to forward the control plane packets to the service card for processing with the firewall software, andwherein the instructions cause the processor to receive a feedback communication from the service card, and forward the feedback communication from the service card to the control plane.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Krohn, Robert M., Ramamoorthi, Sankar, Holleman, Keith, Freed, Michael
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
Baum; Ronald

Application Number

US12/476,083
Time in Patent Office

834 Days
Field of Search

726/11
US Class Current

726/11
CPC Class Codes

H04L 63/0254 Stateful filtering

H04L 63/1441 Countermeasures against mal...

Stateful firewall protection for control plane traffic within a network device

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

91 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Stateful firewall protection for control plane traffic within a network device

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links