Packet firewalls of particular use in packet switching devices

US 8,024,787 B2
Filed: 05/02/2006
Issued: 09/20/2011
Est. Priority Date: 05/02/2006
Status: Active Grant

First Claim

Patent Images

1. A packet switching device configured for processing packets, the packet switching device comprising:

a plurality of interfaces configured to receive and send packets;

one or more physical processors and physical memory configured to implement a plurality of firewalls, with each of the plurality of firewalls configured to perform firewall functionality on packets, with each firewall of the plurality of firewalls associated with a plurality of accesses; and

routing or switching or control functionality configured to control the processing and movement of packets between the plurality of interfaces and said one or more physical processors and physical memory;

wherein each interface of the plurality of interfaces is mapped to both a mapped firewall of the plurality of firewalls and an access of said accesses of the mapped firewall;

wherein said performance of said firewall functionality performed on a particular packet by a particular firewall of the plurality of firewalls is determined based on a particular entry access and a particular exit access of said accesses of the particular firewall determined based on the routing of the particular packet between the plurality of interfaces, and programming of said firewall functionality based on the particular entry access and on the particular exit access; and

wherein the packet switching device is configured to successively apply, to the particular packet, a first particular virtual firewall of the plurality of firewalls and then a second particular virtual firewall of the plurality of firewalls.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One or more firewalls are used to perform firewall functionality on packets based on the entry and exit accesses of each of the one or more firewalls being applied to a packet. For example, when firewalls are included in a router, the interfaces of the router are typically mapped to virtual firewalls and access thereof. Based on the determined routing of a particular packet, the firewalls to apply and their corresponding entry and exit accesses are identified. In order to decouple the application by the firewall itself of the security policies from the network topology and routing architecture (e.g., the network routing address information which is typically relied upon by current firewalls), the firewall functionality is defined based on the identified entry and exit accesses of a firewall, rather than based on network defined addresses, for example.

Citations

32 Claims

1. A packet switching device configured for processing packets, the packet switching device comprising:
- a plurality of interfaces configured to receive and send packets;
  
  one or more physical processors and physical memory configured to implement a plurality of firewalls, with each of the plurality of firewalls configured to perform firewall functionality on packets, with each firewall of the plurality of firewalls associated with a plurality of accesses; and
  
  routing or switching or control functionality configured to control the processing and movement of packets between the plurality of interfaces and said one or more physical processors and physical memory;
  
  wherein each interface of the plurality of interfaces is mapped to both a mapped firewall of the plurality of firewalls and an access of said accesses of the mapped firewall;
  
  wherein said performance of said firewall functionality performed on a particular packet by a particular firewall of the plurality of firewalls is determined based on a particular entry access and a particular exit access of said accesses of the particular firewall determined based on the routing of the particular packet between the plurality of interfaces, and programming of said firewall functionality based on the particular entry access and on the particular exit access; and
  
  wherein the packet switching device is configured to successively apply, to the particular packet, a first particular virtual firewall of the plurality of firewalls and then a second particular virtual firewall of the plurality of firewalls.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The packet switching device of claim 1, wherein one or more of the plurality of firewalls is a virtual firewall implemented in the packet switching device.
  - 3. The packet switching device of claim 2, wherein each of the plurality of interfaces is a physical interface.
  - 4. The packet switching device of claim 2, wherein said programming of said firewall functionality does not include references to the plurality of interfaces or Internet Protocol (IP) or media access control (MAC) addresses associated with the plurality of interfaces.
  - 5. The packet switching device of claim 1, wherein one or more specific firewalls of the plurality of firewalls includes at least three accesses, and said programming of said firewall functionality of said one or more specific firewalls references said at least three accesses.
  - 6. The packet switching device of claim 1, wherein at least two of said interfaces are mapped to a single one of said accesses of a specific firewall of the plurality of firewalls.
  - 7. The packet switching device of claim 1, wherein the packet switching device is a router.
  - 8. The packet switching device of claim 1, wherein said one or more mapping data structures includes a default access mapping specifying an access of said accesses to be used as default for one or more of the plurality of firewalls.
  - 9. The packet switching device of claim 1, wherein said one or more mapping data structures is a single data structure.
  - 10. The packet switching device of claim 1, wherein the particular firewall, the particular entry access, and the particular exit access are determined based on one or more lookup operations in one or more mapping data structures maintaining mappings between the plurality of firewalls and the plurality of interfaces, and between said accesses of the plurality of firewalls and the plurality of interfaces.

11. A packet switching device configured for processing packets, the packet switching device comprising:
- a plurality of interfaces configured to receive and send packets;
  
  one or more physical processors and physical memory configured to implement a plurality of firewalls, with each said firewall of the plurality of firewalls configured to perform firewall functionality on packets, with each firewall of the plurality of firewalls including a plurality of accesses, with each of the plurality of interfaces mapped to one of the plurality of firewalls and an access associated therewith in one or more mapping data structures maintaining mappings between the plurality of firewalls and the plurality of interfaces, and between said accesses of the plurality of firewalls and the plurality of interfaces;
  
  wherein said performance of said firewall functionality performed on a particular packet is determined based on a particular firewall of said firewalls, an entry access and an exit access of said accesses of said particular firewall, with the particular firewall and the entry access and exit access being determined based on one or more lookup operations performed on said one or more mapping data structures, and programming of the particular firewall referencing the entry access and the exit access; and
  
  routing or switching or control functionality configured to control the processing and movement of said packets between the plurality of interfaces and said one or more physical processors and physical memory;
  
  wherein each of the plurality of firewalls is a virtual firewall implemented in the packet switching device; and
  
  wherein the packet switching device is configured to successively apply two of the plurality of firewalls to a particular packet.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The packet switching device of claim 11, wherein at least two of said firewalls are controlled by separate and independent management entities.
  - 13. The packet switching device of claim 11, wherein each of the plurality of interfaces is a physical interface.
  - 14. The packet switching device of claim 13, wherein said programming of said firewalls does not include references to the plurality of interfaces or Internet Protocol (IP) or media access control (MAC) addresses associated with the plurality of interfaces.
  - 15. The packet switching device of claim 11, wherein the particular firewall includes at least three accesses, and said programming of the particular firewall references said at least three accesses.
  - 16. The packet switching device of claim 11, wherein said one or more mapping data structures includes a default access mapping specifying an access of said accesses to be used as default for at least one of said firewalls.
  - 17. The packet switching device of claim 11, wherein said programming of said firewalls does not include references to the plurality of interfaces or Internet Protocol (IP) or media access control (MAC) addresses associated with the plurality of interfaces.
  - 18. The packet switching device of claim 11, wherein the packet switching device is a router.
  - 19. The packet switching device of claim 11, wherein at least two of said interfaces are mapped to a single one of said accesses on a single one of said firewalls.
  - 20. The packet switching device of claim 11, wherein said one or more mapping data structures is a single data structure.

21. A packet switching device configured for processing packets, the packet switching device comprising:
- a plurality of interfaces configured to receive and send packets;
  
  one or more physical processors and physical memory configured to implement a plurality of virtual firewalls, with each said virtual firewall of the plurality of virtual firewalls configured to perform firewall functionality on packets, with each virtual firewall of said virtual firewalls including a plurality of accesses, with each of the plurality of interfaces mapped to one of said virtual firewalls and an access associated therewith in one or more mapping data structures maintaining mappings between the plurality of virtual firewalls and the plurality of interfaces, and between said accesses of the plurality of virtual firewalls and the plurality of interfaces;
  
  wherein said performance of said firewall functionality performed on a particular packet is determined based on one or more of said virtual firewalls applied to the particular packet as determined from said mappings between the plurality of virtual firewalls and the plurality of interfaces said maintained in said one or more mapping data structures, and said firewall functionality applied by each particular virtual firewall of said one or more of said virtual firewalls applied to the particular packet is determined based on the corresponding entry access and exit access of said accesses of said particular virtual firewall corresponding to the particular packet as determined from said mappings between said accesses of the plurality of virtual firewalls and the plurality of interfaces said maintained in said one or more mapping data structures, and programming of the said particular virtual firewall referencing the entry access and the exit access; and
  
  routing or switching or control functionality configured to determine and control the processing and movement of said packets between the plurality of interfaces and said virtual firewalls said implemented by said one or more physical processors and physical memory, wherein said determination for the particular packet includes performing one or more lookup operations in one or more mapping data structures to identify said one or more of said virtual firewalls and their entry and exit access thereof;
  
  wherein the packet switching device is configured to successively apply, to the particular packet, a first particular virtual firewall of the plurality of firewalls and then a second particular virtual firewall of the plurality of firewalls.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The packet switching device of claim 21, wherein said programming of said virtual firewalls does not include references to the plurality of interfaces or Internet Protocol (IP) or media access control (MAC) addresses associated with the plurality of interfaces.
  - 23. The packet switching device of claim 21, wherein at least one of said virtual firewalls includes at least three accesses and its said programming referencing said at least three accesses.
  - 24. The packet switching device of claim 21, wherein said one or more mapping data structures includes a default access mapping specifying an access of said accesses to be used as default for the firewall.
  - 25. The packet switching device of claim 21, wherein the packet switching device is a router.
  - 26. The packet switching device of claim 21, wherein at least two of said interfaces are mapped to a single one of said accesses on a single one of said virtual firewalls.
  - 27. The packet switching device of claim 21, wherein said one or more mapping data structures is a single data structure.

28. A method performed by a packet switching device, the packet switching device comprising:
- a plurality of interfaces and a plurality of accesses on each of a plurality of virtual firewalls;
  
  the method comprising;
  
  maintaining one or more mapping data structures including one or more mappings from each specific interface of the plurality of interfaces to;
  
  a specific firewall of the plurality of virtual firewalls and a specific access of the specific firewall;
  
  in response to an identification of a particular packet and an associated particular source interface of the plurality of interfaces and an associated particular destination interface of the plurality of interfaces;
  
  determining, based on one or more lookup operations in said one or more mapping data structures, a first particular virtual firewall of said virtual firewalls on which to apply to the particular packet, a first entry access of the particular virtual firewall corresponding the particular source interface and an first exit access of the first particular firewall, and determining, based on one or more lookup operations in said one or more mapping data structures, a second particular virtual firewall of said virtual firewalls on which to apply to the particular packet, a second entry access of the second particular virtual firewall and a second exit access of the second particular virtual firewall corresponding the particular destination interface; and
  
  successively applying to the particular packet in order to determine how to manipulate the particular packet;
  
  the first particular virtual firewall based on the first entry and exit accesses and then the second particular virtual firewall based on the second entry and exit accesses; and
  
  performing said manipulation on the particular packet.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The method of claim 28, wherein the packet switching device is a router.
  - 30. The method of claim 28, wherein the first exit access is said determined from a default access mapping specifying an access to be used as default for the first firewall;
    - and wherein the second entry access is said determined from a default access mapping specifying an access to be used as default for the second firewall.
  - 31. The method of claim 28, wherein the first particular firewall is said applied to the particular packet prior to the second particular firewall.
  - 32. The method of claim 28, wherein said one or more mapping data structures is a single data structure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Oz, Doron, Ben-Dvora, Nir, Eli, Eldad Bar
Primary Examiner(s)
PEARSON, DAVID J

Application Number

US11/416,297
Publication Number

US 20070261110A1
Time in Patent Office

1,967 Days
Field of Search

None
US Class Current

726/13
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/56   Routing software

H04L 63/0227   Filtering policies mail mes...

Packet firewalls of particular use in packet switching devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Packet firewalls of particular use in packet switching devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links