Cluster architecture for network security processing
First Claim
1. A non-transitory computer-readable storage medium comprising instructions to cause a computing device to perform a method, the method comprising:
- maintaining a flow assignment data structure comprising mappings between network flows and cluster computing devices assigned thereto by a cluster master, wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master;
identifying a network flow for processing by the cluster;
assigning the network flow to a selected one of the cluster computing devices;
aggregating, at the cluster master, flow session data received from two or more of the cluster computing devices, wherein the flow session data comprises session keys of network flows assigned to the two or more cluster computing devices, each network flow being established between a respective one of the two or more cluster computing devices and an external client; and
configuring the assigned cluster computing device to process network traffic associated with the network flow.
10 Assignments
0 Petitions
Accused Products
Abstract
A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.
132 Citations
43 Claims
-
1. A non-transitory computer-readable storage medium comprising instructions to cause a computing device to perform a method, the method comprising:
-
maintaining a flow assignment data structure comprising mappings between network flows and cluster computing devices assigned thereto by a cluster master, wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master; identifying a network flow for processing by the cluster; assigning the network flow to a selected one of the cluster computing devices; aggregating, at the cluster master, flow session data received from two or more of the cluster computing devices, wherein the flow session data comprises session keys of network flows assigned to the two or more cluster computing devices, each network flow being established between a respective one of the two or more cluster computing devices and an external client; and configuring the assigned cluster computing device to process network traffic associated with the network flow. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
a cluster comprising a plurality of communicatively coupled computing devices, wherein one of the cluster computing devices is configured to operate as a cluster master, and wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master; and a network interface communicatively coupling the cluster to an external network;
a flow assignment module implemented on the cluster master computing device and configured to assign network flows to the cluster computing devices according to one or more flow assignment rules,wherein the cluster computing devices are configured to receive inbound network traffic via the network interface, and wherein each of the cluster computing devices comprises a traffic processing module configured to ignore inbound network traffic that is not associated with a network flow assigned thereto, and to process inbound network traffic related to network flows that are assigned to the cluster computing device according to a security policy, wherein the cluster master is configured to aggregate flow session data received from two or more of the cluster computing devices, and wherein the flow session data comprises cache data of network flows with respective clients in an external network assigned to the two or more cluster computing devices, and wherein assigning the network flow to a selected cluster computing device comprises configuring a flow processing module of the selected cluster computing device to identify and process network traffic associated with the assigned network flow. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A method for assigning network flows within a cluster comprising a plurality of computing devices, the method comprising:
-
maintaining a flow assignment data structure comprising mappings between network flows and computing devices assigned thereto by a cluster master, wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master; receiving network traffic on a network interface, the network traffic corresponding to a network flow; assigning the network flow to a selected one of the plurality of computing devices by; identifying one or more computing devices that are eligible to be assigned the received network flow using the flow assignment data structure and one or more flow assignment rules, selecting one of the one or more eligible computing devices according to a selection criteria, and configuring the selected computing device to process network traffic associated with the received network flow; and aggregating, at the cluster master, flow session data received from two or more of the cluster computing devices, wherein the flow session data comprises security association sequences of network flows between each of the two of more cluster computing devices and respective computing devices in an external network. - View Dependent Claims (29, 30, 31, 32, 33)
-
-
34. A method for processing network traffic by a computing device in a cluster comprising a plurality of computing devices, comprising:
-
receiving a network flow assignment to assign one or more network flows to the computing device from a cluster master, wherein the computing device is communicatively coupled to an external network interface and is capable of processing network flows independently of the cluster master; receiving network traffic relating to a plurality of different network flows; processing the received network traffic by; identifying network traffic associated with network flows assigned to the computing device, processing the identified network traffic according to a security policy, and dropping network traffic that is not identified as associated with a network flow assigned to the computing device; and transmitting flow session data to a cluster master via a network interface, the flow session data comprising a session key of a network flow assigned to the computing device and comprising a network connection between the computing device and a client. - View Dependent Claims (35, 36, 37, 38)
-
-
39. A cluster computing device, comprising:
-
a communication interface communicatively coupled to an external network interface and a cluster interface; and a traffic processing module operable on a processor of the cluster computing device and configured to receive a network flow assignment from a cluster master via the cluster interface, the network flow assignment identifying one or more network flows assigned to the cluster computing device, wherein the traffic processing module is configured to receive network traffic associated with a plurality of different network flows on the external network interface independently of the cluster master, and wherein upon receiving the network traffic, the traffic processing module is configured to identify network traffic associated with the one or more network flows assigned to the cluster computing device, to process the identified network traffic according to a security policy, and to drop network traffic that is not identified as assigned to the cluster computing device, and wherein the cluster computing device is configured to transmit flow session data to the cluster master on the cluster interface, the flow session data comprising cache data of a network flow assigned to the cluster computing device and pertaining to a network connection between the cluster computing device and a client computing device. - View Dependent Claims (40, 41, 42, 43)
-
Specification