Cluster architecture for network security processing

US 8,392,496 B2
Filed: 12/21/2009
Issued: 03/05/2013
Est. Priority Date: 12/19/2008
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium comprising instructions to cause a computing device to perform a method, the method comprising:

maintaining a flow assignment data structure comprising mappings between network flows and cluster computing devices assigned thereto by a cluster master, wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master;

identifying a network flow for processing by the cluster;

assigning the network flow to a selected one of the cluster computing devices;

aggregating, at the cluster master, flow session data received from two or more of the cluster computing devices, wherein the flow session data comprises session keys of network flows assigned to the two or more cluster computing devices, each network flow being established between a respective one of the two or more cluster computing devices and an external client; and

configuring the assigned cluster computing device to process network traffic associated with the network flow.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device may be joined to a cluster by discovering the device, determining whether the device is eligible to join the cluster, configuring the device, and assigning the device a cluster role. A device may be assigned to act as a cluster master, backup master, active device, standby device, or another role. The cluster master may be configured to assign tasks, such as network flow processing to the cluster devices. The cluster master and backup master may maintain global, run-time synchronization data pertaining to each of the network flows, shared resources, cluster configuration, and the like. The devices within the cluster may monitor one another. Monitoring may include transmitting status messages comprising indicators of device health to the other devices in the cluster. In the event a device satisfies failover conditions, a failover operation to replace the device with another standby device, may be performed.

132 Citations

43 Claims

1. A non-transitory computer-readable storage medium comprising instructions to cause a computing device to perform a method, the method comprising:
- maintaining a flow assignment data structure comprising mappings between network flows and cluster computing devices assigned thereto by a cluster master, wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master;
  
  identifying a network flow for processing by the cluster;
  
  assigning the network flow to a selected one of the cluster computing devices;
  
  aggregating, at the cluster master, flow session data received from two or more of the cluster computing devices, wherein the flow session data comprises session keys of network flows assigned to the two or more cluster computing devices, each network flow being established between a respective one of the two or more cluster computing devices and an external client; and
  
  configuring the assigned cluster computing device to process network traffic associated with the network flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-readable storage medium of claim 1, wherein processing network traffic comprises subjecting network traffic associated with the flow to a security policy.
  - 3. The computer-readable storage medium of claim 1, further comprising configuring an inbound network interface communicatively coupling the cluster computing devices to a network to forward network traffic associated with the network flow to the assigned cluster computing device.
  - 4. The computer-readable storage medium of claim 1, wherein the network flow is assigned to a cluster computing device according to one or more flow assignment rules.
  - 5. The computer-readable storage medium of claim 4, wherein one of the one or more flow assignment rules specifies that related network flows are to be assigned to the same cluster computing device.
  - 6. The computer-readable storage medium of claim 4, wherein one of the one or more flow assignment rules specifies that related forward and reverse network flows are to be assigned to the same cluster computing device.
  - 7. The computer-readable storage medium of claim 4, wherein one of the one or more flow assignment rules specifies that flows relating to the same protocol connection are to be assigned to the same cluster computing device.
  - 8. The computer-readable storage medium of claim 7, wherein one of the one or more flow assignment rules specifies that file transfer protocol (FTP) control network flows are to be assigned to the same cluster computing device that is handling related FTP data network flows and vice versa.
  - 9. The computer-readable storage medium of claim 4, wherein one of the one or more flow assignment rules specifies that flows associated with the same tunnel are to be assigned to the same cluster computing device.
  - 10. The computer-readable storage medium of claim 4, wherein one of the one or more flow assignment rules specifies that flows associated with the same tunnel switch are to be assigned to the same cluster computing device.
  - 11. The computer-readable storage medium of claim 4, wherein one of the one or more flow assignment rules specifies that network flows sharing the same security information are to be assigned to the same cluster computing device.
  - 12. The computer-readable storage medium of claim 4, wherein one of the one or more flow assignment rules specifies that network flows sharing the same security association are to be assigned to the same cluster computing device.
  - 13. The computer-readable storage medium of claim 12, wherein the flow assignment rule specifies that network flows sharing the same inbound security association are to be assigned to the same cluster computing device, and that network flows sharing the same outbound security association are to be assigned to the same cluster computing device.
  - 14. The computer-readable storage medium of claim 4, wherein one of the one or more flow assignment rules specifies that all Internet Protocol Security (IPSec) flows associated with a particular peer are to be assigned to the same cluster computing device.
  - 15. The computer-readable storage medium of claim 4, wherein one of the one or more flow assignment rules specifies that flows associated with the same secure tunnel are to be assigned to the same cluster computing device.

16. A system comprising:
- a cluster comprising a plurality of communicatively coupled computing devices, wherein one of the cluster computing devices is configured to operate as a cluster master, and wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master; and
  
  a network interface communicatively coupling the cluster to an external network;
  
  a flow assignment module implemented on the cluster master computing device and configured to assign network flows to the cluster computing devices according to one or more flow assignment rules,wherein the cluster computing devices are configured to receive inbound network traffic via the network interface, and wherein each of the cluster computing devices comprises a traffic processing module configured to ignore inbound network traffic that is not associated with a network flow assigned thereto, and to process inbound network traffic related to network flows that are assigned to the cluster computing device according to a security policy,wherein the cluster master is configured to aggregate flow session data received from two or more of the cluster computing devices, and wherein the flow session data comprises cache data of network flows with respective clients in an external network assigned to the two or more cluster computing devices, andwherein assigning the network flow to a selected cluster computing device comprises configuring a flow processing module of the selected cluster computing device to identify and process network traffic associated with the assigned network flow.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The system of claim 16, wherein responsive to receiving inbound network traffic from the external network, the flow assignment module is configured to determine whether a cluster computing device has been assigned to a network flow corresponding to the inbound network traffic, wherein if no cluster computing device is assigned to the corresponding network flow, the flow assignment module is configured to assign the flow to one of the cluster computing devices according to the one or more flow assignment rules, and wherein if a cluster computing device has been assigned to the corresponding network flow, the flow assignment module ignores the inbound network traffic.
  - 18. The system of claim 17, wherein assigning the network flow to a cluster computing device comprises updating a flow assignment data structure to associate the network flow with one of the cluster computing devices.
  - 19. The system of claim 16, wherein assigning the network flow to a selected cluster computing device comprises transmitting the inbound network traffic to the selected cluster computing device.
  - 20. The system of claim 17, wherein assigning the network flow to a selected cluster computing device comprises configuring the network interface to forward network traffic associated with the network flow to the selected cluster computing device.
  - 21. The system of claim 16, wherein the one or more flow assignment rules comprise flow assignment rules specifying that related forward and reverse network flows, flows related to the same tunnel, the same protocol connection, and/or the same tunnel switch are to be assigned to the same cluster computing device.
  - 22. The system of claim 16, wherein the one or more flow assignment rules comprise flow assignment rules specifying that flows sharing the same security information are to be assigned to the same cluster computing device.
  - 23. The system of claim 22, wherein one of the one or more flow assignment rules specifies that network flows associated with the same secure tunnel are to be assigned to the same cluster computing device.
  - 24. The system of claim 22, wherein one of the one or more flow assignment rules specifies that secure network flows to the same external peer are to be assigned to the same cluster computing device.
  - 25. The system of claim 22, wherein one of the one or more flow assignment rules specifies that network flows sharing the same security association are to be assigned to the same cluster computing device.
  - 26. The system of claim 22, wherein one of the one or more flow assignment rules specifies that network flows sharing the same inbound security association are to be assigned to the same cluster computing device, and network flows sharing the same outbound security association are to be assigned to the same cluster computing device.
  - 27. The system of claim 16, further comprising a shared Internet Key Exchange (IKE) module implemented on the cluster master computing device, wherein the cluster computing devices are configured to negotiate security associations using the shared IKE module.

28. A method for assigning network flows within a cluster comprising a plurality of computing devices, the method comprising:
- maintaining a flow assignment data structure comprising mappings between network flows and computing devices assigned thereto by a cluster master, wherein each of the cluster computing devices is coupled to an external network interface and is capable of processing network flows independently of the cluster master;
  
  receiving network traffic on a network interface, the network traffic corresponding to a network flow;
  
  assigning the network flow to a selected one of the plurality of computing devices by;
  
  identifying one or more computing devices that are eligible to be assigned the received network flow using the flow assignment data structure and one or more flow assignment rules,selecting one of the one or more eligible computing devices according to a selection criteria, andconfiguring the selected computing device to process network traffic associated with the received network flow; and
  
  aggregating, at the cluster master, flow session data received from two or more of the cluster computing devices, wherein the flow session data comprises security association sequences of network flows between each of the two of more cluster computing devices and respective computing devices in an external network.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The method of claim 28, further comprising transmitting the received network traffic to the selected computing device.
  - 30. The method of claim 29, further comprising configuring the network interface to forward network traffic corresponding to the network flow to the selected computing device.
  - 31. The method of claim 29, wherein one of the one or more traffic assignment rules determines eligibility based upon whether one or more of the computing devices is assigned a network flow that is related to the received network flow.
  - 32. The method of claim 29, wherein one of the one or more of the traffic assignment rules determines eligibility based upon whether one or more of the computing devices is assigned a network flow that shares security information with the received network flow.
  - 33. The method of claim 32, wherein one of the one or more traffic assignment rules determines eligibility based upon whether one or more of the computing devices is assigned a network flow sharing a secure tunnel with the received network flow.

34. A method for processing network traffic by a computing device in a cluster comprising a plurality of computing devices, comprising:
- receiving a network flow assignment to assign one or more network flows to the computing device from a cluster master, wherein the computing device is communicatively coupled to an external network interface and is capable of processing network flows independently of the cluster master;
  
  receiving network traffic relating to a plurality of different network flows;
  
  processing the received network traffic by;
  
  identifying network traffic associated with network flows assigned to the computing device,processing the identified network traffic according to a security policy, and dropping network traffic that is not identified as associated with a network flow assigned to the computing device; and
  
  transmitting flow session data to a cluster master via a network interface, the flow session data comprising a session key of a network flow assigned to the computing device and comprising a network connection between the computing device and a client.
- View Dependent Claims (35, 36, 37, 38)
- - 35. The method of claim 34, further comprising maintaining a flow assignment data structure identifying the one or more network flows assigned to the computing device.
  - 36. The method of claim 35, wherein the flow assignment data structure identifies network flows using one selected from a source address of the assigned network flow, a destination address of the assigned network flow, a protocol of the assigned network flow, and a port assignment of the assigned network flow.
  - 37. The method of claim 34, further comprising:
    - for each of the assigned network flows;
      
      maintaining run-time synchronization data associated therewith, and synchronizing the run-time synchronization data to a cluster master computing device.
  - 38. The method of claim 35, wherein processing the identified network traffic comprises negotiating a security association, the method further comprising accessing a shared Internet Key Exchange (IKE) service provided by one of the cluster computing devices to perform the security association negotiation.

39. A cluster computing device, comprising:
- a communication interface communicatively coupled to an external network interface and a cluster interface; and
  
  a traffic processing module operable on a processor of the cluster computing device and configured to receive a network flow assignment from a cluster master via the cluster interface, the network flow assignment identifying one or more network flows assigned to the cluster computing device,wherein the traffic processing module is configured to receive network traffic associated with a plurality of different network flows on the external network interface independently of the cluster master, and wherein upon receiving the network traffic, the traffic processing module is configured to identify network traffic associated with the one or more network flows assigned to the cluster computing device, to process the identified network traffic according to a security policy, and to drop network traffic that is not identified as assigned to the cluster computing device, andwherein the cluster computing device is configured to transmit flow session data to the cluster master on the cluster interface, the flow session data comprising cache data of a network flow assigned to the cluster computing device and pertaining to a network connection between the cluster computing device and a client computing device.
- View Dependent Claims (40, 41, 42, 43)
- - 40. The cluster computing device of claim 39, wherein the cluster computing device is configured to maintain a flow assignment data structure identifying the one or more network flows assigned thereto, and wherein the traffic processing module identifies the network traffic assigned to the cluster computing device using the flow assignment data structure.
  - 41. The cluster computing device of claim 40, wherein the flow assignment data structure identifies network flows assigned to the cluster computing device based upon one selected from a source address of the assigned network flow, a destination address of the assigned network flow, a protocol of the assigned network flow, and a port assignment of the assigned network flow.
  - 42. The cluster computing device of claim 39, wherein the flow processing module is configured to maintain run-time synchronization data associated with each of the network flows assigned to the cluster computing device, and to synchronize the runtime synchronization data to a cluster master computing device via the cluster interface.
  - 43. The cluster computing device of claim 39, wherein processing the identified network traffic comprises negotiating a security association, and wherein the flow processing module is configured to access a shared Internet Key Exchange (IKE) service provided by one of the cluster computing devices to perform the security association negotiation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Original Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Inventors
Linden, Thomas, Huang, James, Hsu, Jeff, Lee, Ming-Jeng
Primary Examiner(s)
Yohannes, Tesfay

Application Number

US12/643,663
Publication Number

US 20100162383A1
Time in Patent Office

1,170 Days
Field of Search

709/200, 709/201, 709/207, 370/409, 370/410
US Class Current

709/201
CPC Class Codes

G06F 11/181   Eliminating the failing red...

G06F 11/182   based on mutual exchange of...

G06F 11/2028   eliminating a faulty proces...

G06F 11/203   using migration

G06F 11/2035   without idle spare hardware

G06F 15/177   Initialisation or configura...

H04L 41/0659   by isolating or reconfiguri...

H04L 41/0869   Validating the configuratio...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 43/0817   by checking functioning

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/0218   Distributed architectures, ...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/20   for managing network securi...

H04L 67/1095   Replication or mirroring of...

H04L 67/142   Managing session states for...

Cluster architecture for network security processing

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Cluster architecture for network security processing

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links