Intelligent integrated network security device

US 8,332,948 B2
Filed: 10/08/2009
Issued: 12/11/2012
Est. Priority Date: 02/08/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

receiving a data packet;

examining the data packet;

identifying a packet identifier using header data associated with the data packet;

searching a flow table, using the packet identifier, to identify a single flow record associated with the data packet;

extracting instructions for two or more security devices from the single flow record when the single flow record is identified in the flow table, the instructions relating to processing the data packet;

communicating a respective one of the instructions to a respective one of the two or more security devices,communicating the respective one of the instructions to the respective one of the two or more security devices including;

communicating a first instruction, of the instructions, to a first security device of the two or more security devices, andcommunicating a second instruction, of the instructions, to a second security device, of the two or more security devices, different than the first security device;

receiving, from each of the two or more security devices, evaluation information,the evaluation information, received from the first security device, being generated by the first security device based on the first instruction, andthe evaluation information, received from the second security device, being generated by the second security device based on the second instruction; and

processing the data packet using the evaluation information received from each of the two or more security devices.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.

Citations

41 Claims

1. A method comprising:
- receiving a data packet;
  
  examining the data packet;
  
  identifying a packet identifier using header data associated with the data packet;
  
  searching a flow table, using the packet identifier, to identify a single flow record associated with the data packet;
  
  extracting instructions for two or more security devices from the single flow record when the single flow record is identified in the flow table, the instructions relating to processing the data packet;
  
  communicating a respective one of the instructions to a respective one of the two or more security devices,communicating the respective one of the instructions to the respective one of the two or more security devices including;
  
  communicating a first instruction, of the instructions, to a first security device of the two or more security devices, andcommunicating a second instruction, of the instructions, to a second security device, of the two or more security devices, different than the first security device;
  
  receiving, from each of the two or more security devices, evaluation information,the evaluation information, received from the first security device, being generated by the first security device based on the first instruction, andthe evaluation information, received from the second security device, being generated by the second security device based on the second instruction; and
  
  processing the data packet using the evaluation information received from each of the two or more security devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 24, 25, 26, 27, 28)
- - 2. The method of claim 1, where examining the data packet includes inspecting the header data to determine whether the data packet is to be forwarded.
  - 3. The method of claim 1, where extracting the instructions for the two or more security devices from the single flow record includes obtaining:
    - information for locating the data packet in memory, andinformation providing a position of the data packet within a flow associated with the single flow record.
  - 4. The method of claim 1, further comprising:
    - when the single flow record associated with the data packet is identified in the flow table, retrieving the single flow record;
      
      orwhen the single flow record associated with the data packet is not identified in the flow table;
      
      creating a new flow record associated with the data packet; and
      
      storing the new flow record in the flow table.
  - 5. The method of claim 1, where extracting the instructions from the single flow record includes:
    - extracting session information and flow information from the single flow record; and
      
      where communicating the respective one of the instructions to the respective one of the two or more security devices further includes;
      
      communicating the session information and the flow information to the two or more security devices.
  - 6. The method of claim 4, where creating the new flow record includes:
    - creating new session information;
      
      receiving device specific flow information, associated with the data packet, from each of the two or more security devices; and
      
      associating the new session information and the device specific flow information, received from each of the two or more security devices, with the new flow record.
  - 7. The method of claim 6, further comprising:
    - storing the device specific flow information, received from each of the two or more security devices, along with the new session information in the new flow record.
  - 8. The method of claim 1, further comprising:
    - processing, using the extracted instructions, the data packet in each of the two or more security devices.
  - 9. The method of claim 1, where processing the data packet includes determining whether the data packet is to be forwarded.
  - 24. The method of claim 1, where the two or more security devices are included in a same hardware package.
  - 25. The method of claim 24, where the two or more security devices are each at least one of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router.
  - 26. The method of claim 1, where the two or more security devices are each at least one of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router.
  - 27. The method of claim 1, where the two or more security devices are included in a combination of hardware packages.
  - 28. The method of claim 27, where the two or more security devices are each at least one of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router.

10. A non-transitory computer-readable medium comprising:
- a plurality of instructions which, when executed by a device, cause the device to;
  
  receive a data packet;
  
  examine the data packet;
  
  identify a packet identifier using header data associated with the data packet;
  
  search a flow table, using the packet identifier, to identify a single flow record associated with the data packet;
  
  extract instructions, for two or more security devices, from the single flow record when the single flow record is identified in the flow table, the instructions relating to processing the data packet;
  
  communicate a respective one of the instructions to a respective one of the two or more security devices,one or more instructions, of the plurality of instructions, to communicate the respective one of the instructions to the respective one of the two or more security devices including;
  
  one or more instructions to communicate a first instruction, of the instructions, to a first security device of the two or more security devices, andone or more instructions to communicate a second instruction, of the instructions, to a second security device, of the two or more security devices, different than the first security device;
  
  receive, from each of the two or more security devices, evaluation information,the evaluation information, received from the first security device, being generated by the first security device based on the first instruction, andthe evaluation information, received from the second security device, being generated by the second security device based on the second instruction; and
  
  process the data packet using the evaluation information received from each of the two or more security devices.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 11. The non-transitory computer-readable medium of claim 10, where one or more instructions, of the plurality of instructions, to examine the data packet include:
    - one or more instructions to inspect the header data to determine whether the data packet is to be forwarded.
  - 12. The non-transitory computer-readable medium of claim 10, where one or more instructions, of the plurality of instructions, to extract the instructions for the two or more security devices from the single flow record include:
    - one or more instructions to obtain;
      
      information for locating the data packet in a memory associated with the system, andinformation providing a position of the data packet within a flow associated with the single flow record.
  - 13. The non-transitory computer-readable medium of claim 10, where the plurality of instructions further comprises:
    - one or more instructions to retrieve the single flow record when the single flow record is identified in the flow table;
      
      one or more instructions to create a new flow record when the single flow record is not identified in the flow table; and
      
      one or more instructions to store the new flow record in the flow table.
  - 14. The non-transitory computer-readable medium of claim 10, where one or more instructions, of the plurality of instructions, to extract the instructions from the single flow record include one or more instructions to extract session information and flow information from the single flow record;
    - andwhere the one or more instructions to communicate the respective one of the instructions to the respective one of the two or more security devices further include one or more instructions to communicate the session information and the flow information to the two or more security devices.
  - 15. The non-transitory computer-readable medium of claim 13, where the one or more instructions to create the new flow record include one or more instructions to:
    - create a new session information;
      
      receive device specific flow information associated with the data packet from each of the two or more security devices; and
      
      associate the new session information and the device specific flow information, received from each of the two or more security devices, with the new flow record.
  - 16. The non-transitory computer-readable medium of claim 15, where the plurality of instructions further comprises:
    - one or more instructions to store the device specific flow information, received from each of the two or more security devices, along with the new session information, in the single flow record.
  - 17. The non-transitory computer-readable medium of claim 10, where the plurality of instructions further comprises:
    - one or more instructions to process the data packet in each of the two or more security devices using the extracted instructions.
  - 18. The non-transitory computer-readable medium of claim 10, where one or more instructions, of the plurality of instructions, to process the data packet include one or more instructions to determine whether the data packet is to be forwarded.
  - 19. The non-transitory computer-readable medium of claim 10, where the two or more security devices are included in a same hardware package.
  - 20. The non-transitory computer-readable medium of claim 19, where the two or more security devices are each at least one of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router.
  - 21. The non-transitory computer-readable medium of claim 10, where the two or more security devices are each at least one of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router.
  - 22. The non-transitory computer-readable medium of claim 10, where the two or more security devices are included in a combination of hardware packages.
  - 23. The non-transitory computer-readable medium of claim 22, where the two or more security devices are each at least one of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router.

29. A method comprising:
- examining a data packet;
  
  identifying, based on examining the data packet, a packet identifier using header data associated with the data packet;
  
  searching a flow table, using the packet identifier, to identify a single flow record associated with the data packet;
  
  extracting, from the single flow record when the single flow record is identified in the flow table, instructions for two or more of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router, the instructions relating to processing the data packet;
  
  communicating a respective one of the instructions to a respective one of the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router,communicating the respective one of the instructions to the respective one of the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router including;
  
  communicating a first instruction, of the instructions, to a first one of the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router, andcommunicating a second instruction, of the instructions, to a second one of the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router, different than the first one of the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router;
  
  receiving evaluation information from each of the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router,the evaluation information, received from the first one of the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router, being generated by the first one of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router based on the first instruction, andthe evaluation information, received from the second one of the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router, being generated by the second one of the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router based on the second instruction; and
  
  processing the data packet using the evaluation information received from each of the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router.
- View Dependent Claims (30, 31)
- - 30. The method of claim 29, where the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router are included in a same hardware package.
  - 31. The method of claim 29, where the two or more of the intrusion detection system, the intrusion prevention system, the firewall, or the flow-based router are included in a combination of hardware packages.

32. A system comprising:
- a device to;
  
  examine a data packet;
  
  identify, based on examining the data packet, a packet identifier using header data associated with the data packet;
  
  search a flow table, using the packet identifier, to identify a single flow record associated with the data packet;
  
  extract instructions for two or more security devices from the single flow record, the instructions relating to processing the data packet;
  
  communicate a respective one of the instructions to a respective one of the two or more security devices,when communicating the respective one of the instructions to the respective one of the two or more security devices, the device is to;
  
  communicate a first instruction, of the instructions, to a first security device of the two or more security devices, andcommunicate a second instruction, of the instructions, to a second security device, of the two or more security devices, different than the first security device;
  
  receive, from each of the two or more security devices, evaluation information,the evaluation information, received from the first security device, being generated by the first security device based on the first instruction, andthe evaluation information, received from the second security device, being generated by the second security device based on the second instruction; and
  
  process the data packet using the evaluation information received from each of the two or more security devices.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 33. The system of claim 32,where the flow table includes an index key, and device specific flow information for the two or more security devices.
  - 34. The system of claim 33, where the device is further totransmit the device specific flow information to each of the two or more security devices.
  - 35. The system of claim 32, where the device is to:
    - further process the data packet by at least one of dropping the data packet, logging the data packet, storing the data packet, or forwarding the data packet.
  - 36. The system of claim 32,where the flow table includes one or more flow records that include policy information for use by the two or more security devices when processing the data packet.
  - 37. The system of claim 32, where the two or more security devices are included in a same hardware package.
  - 38. The system of claim 37, where the two or more security devices are each at least one of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router.
  - 39. The system of claim 32, where the two or more security devices are each at least one of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router.
  - 40. The system of claim 32, where the two or more security devices are included in a combination of hardware packages.
  - 41. The system of claim 40, where the two or more security devices are each at least one of an intrusion detection system, an intrusion prevention system, a firewall, or a flow-based router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zuk, Nir
Primary Examiner(s)
Reza, Mohammad W

Application Number

US12/575,997
Publication Number

US 20100132030A1
Time in Patent Office

1,160 Days
Field of Search

726/13, 726/11, 726/17, 726/22, 726/23, 726/25, 713/160, 713/164
US Class Current

726/25
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 69/22   Parsing or analysis of headers

Intelligent integrated network security device

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Intelligent integrated network security device

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links