Highly scalable architecture for application network appliances

US 8,443,069 B2
Filed: 03/24/2011
Issued: 05/14/2013
Est. Priority Date: 08/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at a client host machine, establishing a secure control channel for data traffic between the client host machine and a gateway device;

negotiating security parameters with the gateway device;

downloading a policy from the gateway device via the secure control channel;

analyzing the policy to identify portions of the data traffic that is to be sent over the secure control channel;

selecting the portions of the data traffic for transmission over the secure channel based on the analyzing;

encrypting payloads of the selected portions of the data traffic; and

establishing a proxy connection to provide a security service for the selected portions of the data traffic.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described.

Citations

20 Claims

1. A method comprising:
- at a client host machine, establishing a secure control channel for data traffic between the client host machine and a gateway device;
  
  negotiating security parameters with the gateway device;
  
  downloading a policy from the gateway device via the secure control channel;
  
  analyzing the policy to identify portions of the data traffic that is to be sent over the secure control channel;
  
  selecting the portions of the data traffic for transmission over the secure channel based on the analyzing;
  
  encrypting payloads of the selected portions of the data traffic; and
  
  establishing a proxy connection to provide a security service for the selected portions of the data traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein establishing a secure control channel comprises establishing a Transparent Secure Transport Channel.
  - 3. The method of claim 1, and further comprising evaluating security zone characteristics of the downloaded policy in order to determine whether to encrypt the data traffic.
  - 4. The method of claim 3, wherein evaluating the security zone characteristics comprises:
    - at the client host machine, analyzing the security zone characteristics to determine whether the policy requires one of a relative low, medium or high security;
      
      authorizing the data traffic to be transmitted to the gateway device when the policy requires low security;
      
      adding an integrity code to the data traffic using the negotiated security parameters when the policy requires medium security; and
      
      encrypting the payload using the negotiated security parameters when the policy requires high security.
  - 5. The method of claim 4, wherein adding the integrity code comprises adding a Message Authentication Code (MAC) to the data traffic.
  - 6. The method of claim 1, wherein encrypting comprises encrypting an Internet Protocol (IP) payload of the data traffic.
  - 7. The method of claim 6, wherein encrypting comprises encrypting the IP payload while IP address and Transport Control Protocol (TCP) information of the data traffic remains unencrypted.

8. One or more computer-readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- establish a secure control channel for data traffic between a client host machine and a gateway device;
  
  negotiate security parameters with the gateway device;
  
  download a policy from the gateway device via the secure control channel;
  
  analyze the policy to identify portions of the data traffic that is to be sent over the secure control channel;
  
  select the portions of the data traffic for transmission over the secure channel based on the analysis of the policy;
  
  encrypt payloads of the selected portions of the data traffic; and
  
  establish a proxy connection to provide a security service for the selected portions of the data traffic.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage media of claim 8, wherein the instructions operable to establish comprise instructions operable to establish a Transparent Secure Transport Channel.
  - 10. The computer-readable storage media of claim 8, further comprising instructions operable to evaluate security zone characteristics of the downloaded policy in order to determine whether to encrypt the data traffic.
  - 11. The computer-readable storage media of claim 10, wherein the instructions operable to evaluate comprise instructions operable to:
    - analyze the security zone characteristics to determine whether the policy requires one of a relative low, medium or high security;
      
      authorize the data traffic to be transmitted to the gateway device when the policy requires low security;
      
      add an integrity code to the data traffic using the negotiated security parameters when the policy requires medium security; and
      
      encrypt the payload using the negotiated security parameters when the policy requires high security.
  - 12. The computer-readable storage media of claim 11, wherein the instructions operable to add comprise instructions operable to add a Message Authentication Code (MAC) to the data traffic.
  - 13. The computer-readable storage media of claim 8, wherein the instructions operable to encrypt comprise instructions operable to encrypt an Internet Protocol (IP) payload of the data traffic.
  - 14. The computer-readable storage media of claim 13, wherein the instructions operable to encrypt comprise instructions operable to encrypt the IP payload while IP address and Transport Control Protocol (TCP) information of the data traffic remains unencrypted.

15. An apparatus comprising:
- a network interface unit configured to enable communications over a network; and
  
  a processor configured to execute instructions associated with an application server and an agent server, and configured to;
  
  establish a secure control channel for data traffic between a client host machine and a gateway device;
  
  negotiate security parameters with the gateway device;
  
  download a policy from the gateway device via the secure control channel;
  
  analyze the policy to identify portions of the data traffic that is to be sent over the secure control channel;
  
  select the portions of the data traffic for transmission over the secure channel based on the analysis of the policy;
  
  encrypt payloads of the selected portions of the data traffic; and
  
  establish a proxy connection to provide a security service for the selected portions of the data traffic.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the processor is further configured to establish a Transparent Secure Transport Channel.
  - 17. The apparatus of claim 15, wherein the processor is further configured to evaluate security zone characteristics of the downloaded policy in order to determine whether to encrypt the data traffic.
  - 18. The apparatus of claim 17, wherein the processor is further configured to:
    - analyze the security zone characteristics to determine whether the policy requires one of a relative low, medium or high security;
      
      authorize the data traffic to be transmitted to the gateway device when the policy requires low security;
      
      add an integrity code to the data traffic using the negotiated security parameters when the policy requires medium security; and
      
      encrypt the payload using the negotiated security parameters when the policy requires high security.
  - 19. The apparatus of claim 18, wherein the processor is further configured to add a Message Authentication Code (MAC) to the data traffic.
  - 20. The apparatus of claim 15, wherein the processor is further configured to encrypt an Internet Protocol (IP) payload of the data traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bagepalli, Nagaraj, Gandhi, Prashant, Patra, Abhijit, Prabhu, Kirti, Thakar, Anant
Primary Examiner(s)
JACOBS, LASHONDA T

Application Number

US13/070,588
Publication Number

US 20110173441A1
Time in Patent Office

782 Days
Field of Search

709/223, 709/224, 709/203, 709/217, 709/219, 370/352, 370/389, 370/401, 713/153, 713/201
US Class Current

709/223
CPC Class Codes

H04L 47/20   Traffic policing

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/321   Interlayer communication pr...

H04L 9/3242   involving keyed hash functi...

Y10T 70/5827   Axially movable clutch

Highly scalable architecture for application network appliances

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Highly scalable architecture for application network appliances

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links