Packet firewalls of particular use in packet switching devices
First Claim
1. A packet switching device configured for processing packets, the packet switching device comprising:
- a plurality of interfaces configured to receive and send packets;
one or more physical processors and physical memory configured to implement a plurality of firewalls, with each of the plurality of firewalls configured to perform firewall functionality on packets, with each firewall of the plurality of firewalls associated with a plurality of accesses; and
routing or switching or control functionality configured to control the processing and movement of packets between the plurality of interfaces and said one or more physical processors and physical memory;
wherein each interface of the plurality of interfaces is mapped to both a mapped firewall of the plurality of firewalls and an access of said accesses of the mapped firewall;
wherein said performance of said firewall functionality performed on a particular packet by a particular firewall of the plurality of firewalls is determined based on a particular entry access and a particular exit access of said accesses of the particular firewall determined based on the routing of the particular packet between the plurality of interfaces, and programming of said firewall functionality based on the particular entry access and on the particular exit access; and
wherein the packet switching device is configured to successively apply, to the particular packet, a first particular virtual firewall of the plurality of firewalls and then a second particular virtual firewall of the plurality of firewalls.
1 Assignment
0 Petitions
Accused Products
Abstract
One or more firewalls are used to perform firewall functionality on packets based on the entry and exit accesses of each of the one or more firewalls being applied to a packet. For example, when firewalls are included in a router, the interfaces of the router are typically mapped to virtual firewalls and access thereof. Based on the determined routing of a particular packet, the firewalls to apply and their corresponding entry and exit accesses are identified. In order to decouple the application by the firewall itself of the security policies from the network topology and routing architecture (e.g., the network routing address information which is typically relied upon by current firewalls), the firewall functionality is defined based on the identified entry and exit accesses of a firewall, rather than based on network defined addresses, for example.
-
Citations
32 Claims
-
1. A packet switching device configured for processing packets, the packet switching device comprising:
-
a plurality of interfaces configured to receive and send packets; one or more physical processors and physical memory configured to implement a plurality of firewalls, with each of the plurality of firewalls configured to perform firewall functionality on packets, with each firewall of the plurality of firewalls associated with a plurality of accesses; and routing or switching or control functionality configured to control the processing and movement of packets between the plurality of interfaces and said one or more physical processors and physical memory; wherein each interface of the plurality of interfaces is mapped to both a mapped firewall of the plurality of firewalls and an access of said accesses of the mapped firewall; wherein said performance of said firewall functionality performed on a particular packet by a particular firewall of the plurality of firewalls is determined based on a particular entry access and a particular exit access of said accesses of the particular firewall determined based on the routing of the particular packet between the plurality of interfaces, and programming of said firewall functionality based on the particular entry access and on the particular exit access; and wherein the packet switching device is configured to successively apply, to the particular packet, a first particular virtual firewall of the plurality of firewalls and then a second particular virtual firewall of the plurality of firewalls. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A packet switching device configured for processing packets, the packet switching device comprising:
-
a plurality of interfaces configured to receive and send packets; one or more physical processors and physical memory configured to implement a plurality of firewalls, with each said firewall of the plurality of firewalls configured to perform firewall functionality on packets, with each firewall of the plurality of firewalls including a plurality of accesses, with each of the plurality of interfaces mapped to one of the plurality of firewalls and an access associated therewith in one or more mapping data structures maintaining mappings between the plurality of firewalls and the plurality of interfaces, and between said accesses of the plurality of firewalls and the plurality of interfaces;
wherein said performance of said firewall functionality performed on a particular packet is determined based on a particular firewall of said firewalls, an entry access and an exit access of said accesses of said particular firewall, with the particular firewall and the entry access and exit access being determined based on one or more lookup operations performed on said one or more mapping data structures, and programming of the particular firewall referencing the entry access and the exit access; androuting or switching or control functionality configured to control the processing and movement of said packets between the plurality of interfaces and said one or more physical processors and physical memory; wherein each of the plurality of firewalls is a virtual firewall implemented in the packet switching device; and wherein the packet switching device is configured to successively apply two of the plurality of firewalls to a particular packet. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A packet switching device configured for processing packets, the packet switching device comprising:
-
a plurality of interfaces configured to receive and send packets; one or more physical processors and physical memory configured to implement a plurality of virtual firewalls, with each said virtual firewall of the plurality of virtual firewalls configured to perform firewall functionality on packets, with each virtual firewall of said virtual firewalls including a plurality of accesses, with each of the plurality of interfaces mapped to one of said virtual firewalls and an access associated therewith in one or more mapping data structures maintaining mappings between the plurality of virtual firewalls and the plurality of interfaces, and between said accesses of the plurality of virtual firewalls and the plurality of interfaces;
wherein said performance of said firewall functionality performed on a particular packet is determined based on one or more of said virtual firewalls applied to the particular packet as determined from said mappings between the plurality of virtual firewalls and the plurality of interfaces said maintained in said one or more mapping data structures, and said firewall functionality applied by each particular virtual firewall of said one or more of said virtual firewalls applied to the particular packet is determined based on the corresponding entry access and exit access of said accesses of said particular virtual firewall corresponding to the particular packet as determined from said mappings between said accesses of the plurality of virtual firewalls and the plurality of interfaces said maintained in said one or more mapping data structures, and programming of the said particular virtual firewall referencing the entry access and the exit access; androuting or switching or control functionality configured to determine and control the processing and movement of said packets between the plurality of interfaces and said virtual firewalls said implemented by said one or more physical processors and physical memory, wherein said determination for the particular packet includes performing one or more lookup operations in one or more mapping data structures to identify said one or more of said virtual firewalls and their entry and exit access thereof; wherein the packet switching device is configured to successively apply, to the particular packet, a first particular virtual firewall of the plurality of firewalls and then a second particular virtual firewall of the plurality of firewalls. - View Dependent Claims (22, 23, 24, 25, 26, 27)
-
-
28. A method performed by a packet switching device, the packet switching device comprising:
- a plurality of interfaces and a plurality of accesses on each of a plurality of virtual firewalls;
the method comprising;maintaining one or more mapping data structures including one or more mappings from each specific interface of the plurality of interfaces to;
a specific firewall of the plurality of virtual firewalls and a specific access of the specific firewall;in response to an identification of a particular packet and an associated particular source interface of the plurality of interfaces and an associated particular destination interface of the plurality of interfaces;
determining, based on one or more lookup operations in said one or more mapping data structures, a first particular virtual firewall of said virtual firewalls on which to apply to the particular packet, a first entry access of the particular virtual firewall corresponding the particular source interface and an first exit access of the first particular firewall, and determining, based on one or more lookup operations in said one or more mapping data structures, a second particular virtual firewall of said virtual firewalls on which to apply to the particular packet, a second entry access of the second particular virtual firewall and a second exit access of the second particular virtual firewall corresponding the particular destination interface; andsuccessively applying to the particular packet in order to determine how to manipulate the particular packet;
the first particular virtual firewall based on the first entry and exit accesses and then the second particular virtual firewall based on the second entry and exit accesses; andperforming said manipulation on the particular packet. - View Dependent Claims (29, 30, 31, 32)
- a plurality of interfaces and a plurality of accesses on each of a plurality of virtual firewalls;
Specification