Method, systems, and computer program products for implementing function-parallel network firewall
First Claim
Patent Images
1. A function-parallel firewall comprising:
- (a) a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules, the first portion including less than all of the rules in the rule set; and
(b) at least one second firewall node for filtering packets using a second portion of the rule set, the second portion including at least one rule in the rule set that is not present in the first portion, wherein the first and second portions together include all of the rules in the rule set, wherein the first and second firewall nodes are configured to implement a gateless design wherein the rules are distributed among the first and second firewall nodes such that for any given packet, only one of the first and the at least one second firewall nodes accepts the packet and the other of the first and at least one second firewall nodes always denies the packet, wherein each of the packets is replicated to each of the firewall nodes and wherein the first firewall node is adapted to forward packets that pass one of the rules in the first portion to an internal network in a manner that bypasses the at least one second firewall node.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and computer program products for providing function-parallel firewalls are disclosed. According to one aspect, a function-parallel firewall includes a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules. The first portion includes less than all of the rules in the rule set. At least one second firewall node filters packets using a second portion of the rule set. The second portion includes at least one rule in the rule set that is not present in the first portion. The first and second portions together include all of the rules in the rule set.
105 Citations
46 Claims
-
1. A function-parallel firewall comprising:
-
(a) a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules, the first portion including less than all of the rules in the rule set; and (b) at least one second firewall node for filtering packets using a second portion of the rule set, the second portion including at least one rule in the rule set that is not present in the first portion, wherein the first and second portions together include all of the rules in the rule set, wherein the first and second firewall nodes are configured to implement a gateless design wherein the rules are distributed among the first and second firewall nodes such that for any given packet, only one of the first and the at least one second firewall nodes accepts the packet and the other of the first and at least one second firewall nodes always denies the packet, wherein each of the packets is replicated to each of the firewall nodes and wherein the first firewall node is adapted to forward packets that pass one of the rules in the first portion to an internal network in a manner that bypasses the at least one second firewall node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A stateful function-parallel firewall system comprising:
-
(a) a first function-parallel firewall subsystem including a plurality of firewall nodes implementing a first rule set for filtering packets arriving in a network, wherein the first function-parallel firewall subsystem includes at least first and second firewall nodes respectively implementing first and second portions of the first rule set, the first portion including at least one rule that is not present in the second portion; and (b) a second function-parallel firewall sub-system including a second set of firewall nodes implementing a second rule set for filtering packets departing from the network, wherein the second function-parallel firewall subsystem includes at least third and fourth firewall nodes, the third and fourth firewall nodes implementing first and second portions of the second rule set, the first portion of the second rule set including at least one rule that is not present in the second portion of the second rule set, wherein the first and second function-parallel firewall subsystems share state information regarding connections established through the first and second sets of firewall nodes, wherein the first and second function-parallel firewall subsystems each include a gateless design wherein rules are distributed among individual firewall nodes such that any given packet is accepted by a only single firewall node and is always denied by all of the remaining firewall nodes, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. A firewall grid comprising:
-
(a) a plurality of firewall nodes being physically connected to each other via a network for filtering packets; and (b) a controller for controlling logical connections between the firewall nodes, wherein the controller is adapted to configure the firewall nodes in a logical firewall hierarchy without changing physical connections between the firewall nodes, wherein the firewall nodes are configured to implement a gateless design wherein the rules are distributed among the firewall nodes such that for any given packet, only one of the firewall nodes accepts the packet and all of the remaining firewall nodes always deny the packet, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes. - View Dependent Claims (22, 23, 24)
-
-
25. A system for providing network access control based on a function-parallel policy, the system comprising:
-
(a) a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules, the first portion including less than all of the rules in the rule set; and (b) at least one second firewall node for filtering packets using a second portion of the rule, the second portion including at least one rule in the rule set that is not present in the first portion, wherein the first and second portions together include all of the rules in the rule set, wherein the first and second nodes are configured to implement a gateless design wherein the rules are distributed among the first and second firewall nodes such that for any given packet, only one of the first and second firewall nodes accepts the packet and the other of the first and second firewall nodes always denies the packet, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes. - View Dependent Claims (26, 27, 28)
-
-
29. A method for controlling access to a network based on a set of packet filtering rules distributed in a function-parallel manner, the method comprising:
-
(a) distributing packet filtering rules of a rule set among a plurality of different firewall nodes in a function-parallel manner so that at least some of the different nodes implement different portions of the rule set; (b) replicating packets to each of the nodes; and (c) applying the rules to filter the packets, wherein distributing the packet filtering rule set among the plurality of firewall nodes includes distributing the rules such that for any given packet, only one of the firewall nodes accepts the packet and all of the remaining nodes always deny the packet, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes. - View Dependent Claims (30, 31, 32, 33, 34)
-
-
35. A method for distributing rules in a function-parallel firewall, the method comprising:
-
(a) defining a rule set for a function-parallel firewall; (b) assigning rules in the rule set to nodes and branches in a trie data structure, wherein each node in the trie data structure corresponds to a data field and each branch represents a value for each data field to be compared to values in corresponding fields in received packets; (c) pruning the trie data structure in a manner that preserves ordering of the rules in the rule set; and (d) assigning rules to firewall nodes such that one node is assigned a rule that will accept a given packet and the remaining firewall nodes of the firewall are assigned rules that will deny the packet, wherein the firewall nodes implement a gateless design such that for any given packet only one node accepts the packet and all of the remaining nodes always deny the packet, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes. - View Dependent Claims (36, 37, 38)
-
-
39. A method for assigning rules to a plurality of firewall nodes, the method comprising:
-
(a) assigning packet filtering rules to nodes in a directed acyclical graph (DAG); (b) representing relationships between rules by edges in the DAG; and (c) distributing the rules among a plurality of firewall nodes using the DAG such that different firewall nodes implement different rules and such that relationships between the rules specified in the DAG are preserved, wherein distributing the rules among a plurality of firewall nodes includes distributing the rules such that for a given packet, only one of the firewall nodes accepts the packet and all of the remaining firewall nodes always deny the packet, wherein the firewall nodes implement a gateless design, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes. - View Dependent Claims (40, 41, 42, 43)
-
-
44. A computer program product comprising computer executable instructions embodied in a non-transitory computer readable medium for performing steps comprising:
-
(a) distributing packet filtering rules of a rule set among a plurality of different firewall nodes in a function-parallel manner so that at least some of the different firewall nodes implement different portions of the rule set; (b) replicating packets to each of the firewall nodes; and (c) applying the rules to filter the packets, wherein distributing the rules among a plurality of nodes includes distributing the rules among the nodes which implement a gateless design, where, for any given packet, only one of the nodes accepts the packet and all of the remaining nodes always deny the packet and wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.
-
-
45. A computer program product comprising computer executable instructions embodied in a non-transitory computer readable medium for performing steps comprising:
-
(a) defining a rule set for a function-parallel firewall; (b) assigning rules in the rule set to nodes and branches in a trie data structure, wherein each node in the trie data structure corresponds to a data field and each branch represents a value for each data field to be compared to values in corresponding fields in received packets; (c) pruning the trie data structure in a manner that preserves ordering of the rules in the rule set; and (d) assigning rules to firewall nodes such that only one node is assigned a rule that accepts a given packet and all of the remaining firewall nodes of the firewall are assigned rules that always deny the packet, wherein the firewall nodes implement a gateless design, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.
-
-
46. A computer program product comprising computer executable instructions embodied in a non-transitory computer readable medium for performing steps comprising:
-
(a) assigning rules to nodes in a directed acyclical graph (DAG); (b) representing relationships between rules by edges in the DAG; and (c) distributing the rules among a plurality of firewall nodes using the DAG such that the relationships between the rules specified in the DAG are preserved, wherein distributing the rules among a plurality of firewall nodes includes distributing the rules among the nodes, which implement a gateless design, where, for any given packet, only one of the firewall nodes accepts the packet and all of the remaining firewall nodes always deny the packet, wherein each of the packets is replicated to each of the firewall nodes, and wherein a packet that is accepted by one of the firewall nodes is forwarded to an internal network in a manner that bypasses the remaining firewall nodes.
-
Specification