Stateful firewall protection for control plane traffic within a network device
First Claim
1. A method for processing packets within a network device having a forwarding component, a routing component and a firewall component, the method comprising:
- receiving control plane packets and data plane packets with the forwarding component of a network device, wherein the control plane packets are packets destined for a routing component within the network device and which specify a network address of the routing component, and wherein the data plane packets are packets received by the network device that are destined for devices external to the network device;
forwarding the control plane packets from the forwarding component to the firewall component within the network device prior to forwarding the control plane packets from the firewall component to the routing component of the network device, wherein the firewall component is physically separate from the forwarding component and the routing component and electrically coupled to the forwarding component and the routing component; and
processing the control plane packets with the physically separate firewall component to detect a network attack.
0 Assignments
0 Petitions
Accused Products
Abstract
A network device receives control plane packets and data plane packets from a network. The network device includes a forwarding component that forwards the data plane packets in accordance with routing information maintained by a routing component. The forwarding component directs the control plane packets to a firewall component that processes the control plane packets to apply firewall services and detect network attacks. After processing, the firewall component loops the control plane packets back to the forwarding components for forwarding to the routing component. The firewall component may be a security service card.
91 Citations
23 Claims
-
1. A method for processing packets within a network device having a forwarding component, a routing component and a firewall component, the method comprising:
-
receiving control plane packets and data plane packets with the forwarding component of a network device, wherein the control plane packets are packets destined for a routing component within the network device and which specify a network address of the routing component, and wherein the data plane packets are packets received by the network device that are destined for devices external to the network device; forwarding the control plane packets from the forwarding component to the firewall component within the network device prior to forwarding the control plane packets from the firewall component to the routing component of the network device, wherein the firewall component is physically separate from the forwarding component and the routing component and electrically coupled to the forwarding component and the routing component; and processing the control plane packets with the physically separate firewall component to detect a network attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A network device comprising:
-
a routing component that maintains routing information in accordance with a topology of the network; an interface that receives control plane packets and data plane packets from a network, wherein the control plane packets are packets destined for a routing component within the network device and which specify a network address of the routing component, and wherein the data plane packets are packets received by the network device that are destined for devices external to the network device; and a firewall component that processes the control plane packets to detect a security issue, wherein the firewall component is physically separate from the routing component and a forwarding component of the network device and electrically coupled to the routing component and the forwarding component; and wherein the forwarding component receives the control plane packets from the interface and directs the control plane packets from the forwarding component to the physically separate firewall component for processing prior to the network device forwarding the control plane packets to the routing component. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A non-transitory computer-readable storage medium comprising instructions that cause a processor to:
-
receive control plane packets and data plane packets within a forwarding component of a router, wherein the control plane packets are packets destined for a routing component within the network device and which specify a network address of the routing component, and wherein the data plane packets are packets received by the network device that are destined for devices external to the network device; forward the data plane packets to an output interface in accordance with routing information without processing the data plane packets with firewall software of the network device that is maintained in a firewall component physically separate from and electrically connected to the routing component and forwarding component; forward the control plane packets from the forwarding component to the physically separate firewall component within the network device prior to forwarding the control plane packets from the physically separate firewall component to the routing component of the network device; forward the control plane packets from the physically separate firewall component to the routing component after the control plane packets are processed with the firewall software of the physically separate firewall component. - View Dependent Claims (23)
-
Specification