Secure high-throughput data-center network employing routed firewalls

US 8,479,275 B1
Filed: 02/01/2006
Issued: 07/02/2013
Est. Priority Date: 02/01/2006
Status: Active Grant

First Claim

Patent Images

1. A data center comprising:

a first data-center tier configured to electronically connect to an external network;

an internal portion of the data center coupled to the first data-center tier, wherein the internal portion comprises;

a second data-center tier comprising;

a second data-center tier internal core; and

an intrusion detection service module; and

a third data-center tier comprising a third data-center tier internal core;

a first routed firewall instance coupled between the first data-center tier and the external network; and

a second routed firewall instance coupled between the first data-center tier and the second data-center tier, wherein the second routed firewall instance facilitates data filtering and routing data between a plurality of virtual local area networks (VLANs) that are internal to the first data-center tier and a VLAN that interfaces the first data-center tier and the second data-center tier, and wherein the intrusion detection service module is electronically connected to the second routed firewall instance, the second data-center tier internal core, and the third data-center tier internal core.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A reliable and secure data-center. The data center includes a first data-center tier that is adapted to connect to an external network and an internal portion of the data center. A first firewall instance interfaces the first tier and the external network. A second firewall instance interfaces the first tier and the internal portion of the data center. In a more specific embodiment, the first firewall instance and the second firewall instance accommodate Internet Protocol SECurity (IPSEC) terminations using one or more VPNSMs. In this embodiment, the first data-center tier implements a core tier that includes one or more core switches that facilitate implementing the first firewall instance and the second firewall instance. The interior portion of the network represents a DeMilitarized Zone (DMZ) that includes a second tier that is connected between the first data-center tier and a third tier. The second tier implements an aggregation tier that includes one or more aggregation switches that facilitate implementing reverse-proxy caching. Overall Layer-3 design methodology is used within each tier and across tiers for optimized packet switching. The aggregation tier includes one or more aggregation-tier service modules for implementing load balancing, Secure Socket Layer (SSL) offloading, and/or the reverse-proxy caching.

54 Citations

View as Search Results

42 Claims

1. A data center comprising:
- a first data-center tier configured to electronically connect to an external network;
  
  an internal portion of the data center coupled to the first data-center tier, wherein the internal portion comprises;
  
  a second data-center tier comprising;
  
  a second data-center tier internal core; and
  
  an intrusion detection service module; and
  
  a third data-center tier comprising a third data-center tier internal core;
  
  a first routed firewall instance coupled between the first data-center tier and the external network; and
  
  a second routed firewall instance coupled between the first data-center tier and the second data-center tier, wherein the second routed firewall instance facilitates data filtering and routing data between a plurality of virtual local area networks (VLANs) that are internal to the first data-center tier and a VLAN that interfaces the first data-center tier and the second data-center tier, and wherein the intrusion detection service module is electronically connected to the second routed firewall instance, the second data-center tier internal core, and the third data-center tier internal core.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 40, 41, 42)
- - 2. The data center of claim 1, further comprising internet protocol security (IPSEC) terminations at the first and second routed firewall instances.
  - 3. The data center of claim 1, further comprising a first data-center tier core included in the first data-center tier, the first data-center tier core tier further comprising one or more core switches that facilitate implementing the first routed firewall instance and the second routed firewall instance.
  - 4. The data center of claim 1, wherein the internal portion further comprises a secure socket server module coupled to the second data-center tier internal core via a load balancer.
  - 5. The data center of claim 1, further comprising an aggregation tier included in the second data-center tier, wherein the aggregation tier includes one or more aggregation switches that facilitate implementing reverse-proxy caching.
  - 6. The data center of claim 5, further comprising one or more aggregation-tier service modules included in the aggregation tier, wherein the one or more aggregation-tier service modules implements a function selected from the group consisting ofload balancing,secure socket layer (SSL) offloading, andreverse-proxy caching.
  - 7. The data center of claim 1, further comprising a first pair of switches, a second pair of switches, and a third pair of switches, included in the first data-center tier, the second tier, and/or the third tier, respectively.
  - 8. The data center of claim 7, wherein one or more port channels connect switches of the first pair of switches, the second pair of switches, and the third pair of switches.
  - 9. The data center of claim 8, wherein the first pair of switches, the second pair of switches, and the third pair of switches include one or more layer-3 (L3) switches.
  - 10. The data center of claim 8, further comprising plural port channels, the plural port channels including a first port channel for carrying data traffic and a second port channel for carrying control traffic.
  - 11. The data center of claim 1, further comprising service-module intelligence implemented in the first data-center tier.
  - 12. The data center of claim 11, further comprising one or more virtual private network service modules (VPNSMs) included in the service-module intelligence.
  - 13. The data center of claim 12, wherein the first routed firewall instance and the second routed firewall instance are implemented via a first VPNSM.
  - 14. The data center of claim 13, wherein the first VPNSM runs on a first switch.
  - 15. The data center of claim 14, wherein the first VPN runs on a blade of the first switch, wherein the first switch is a router.
  - 16. The data center of claim 13 further comprising a firewall state link port channel coupled between core-tier switches in the first data-center tier.
  - 17. The data center of claim 11, wherein the first routed firewall instance and the second routed firewall instance, which include virtual routed firewall instances, are included in the service-module intelligence.
  - 18. The data center of claim 17, wherein the virtual routed firewall instances are implemented via one or more firewall service modules (FWSMs) and one or more virtual private network service modules (VPNSMs).
  - 19. The data center of claim 17, wherein the first virtual routed firewall instance interfaces the external network and the data center.
  - 20. The data center of claim 19, wherein the second virtual routed firewall instance interfaces the first data-center tier with the second data center tier.
  - 21. The data center of claim 19, further comprising internet-protocol security (IPSEC) VLAN terminations implemented via one or more VPNSMs, wherein the IPSEC VLAN terminations are included in the first routed firewall instance and the second routed firewall instance.
  - 22. The data center of claim 1, further comprising aggregation-tier service-module intelligence implemented in the second data center tier.
  - 23. The data center of claim 22, further comprising a content switching module (CSM), a secure socket layer service module (SSLSM), and an intrusion detection service module (IDSM), which are included in the aggregation-tier service-module intelligence.
  - 24. The data center of claim 23, wherein the IDSM is positioned to monitor incoming traffic from the first data-center tier and server traffic from the third data center tier.
  - 25. The data center of claim 24, wherein the incoming traffic and the server traffic traverse one or more virtual local area networks (VLANs) between the first data-center tier and the second data center tier between the second data center tier and the third data center tier.
  - 26. The data center of claim 23, further comprising a one-arm connection that couples the CSM is to one or more aggregation-tier switches.
  - 27. The data center of claim 1, further comprising access-tier service-module intelligence included in the third data-center tier.
  - 28. The data center of claim 27, wherein the third data-center tier is electronically connected to one or more network devices selected from the group consisting of a server and a network storage device via one or more VLANs so that L3 switches of the third data center tier implement a default gateway for the one or more network devices.
  - 29. The data center of claim 27, further comprising a network analysis module (NAM) included in the service-module intelligence of the third data center tier.
  - 30. The data center of claim 1, further comprising one or more layer-3 (L3) switches included in the third data center tier.
  - 31. The data center of claim 30, further comprising one or more virtual local area networks (VLANs) interfacing the one or more L3 switches with one or more network devices selected from the group consisting of a server and a storage device, wherein the third data-center tier includes the one or more VLANs interfacing the one or more L3 switches with one or more network devices.
  - 32. The data center of claim 31, further comprising at least one server selected from the group consisting of a web server, an application server, and a database server, wherein the one or more servers include at least one server selected from the group consisting of the web server, the application server, and the database server.
  - 33. The data center of claim 1, further comprising a first L3 interface, wherein the first data-center tier and the second data-center tier are coupled via the first L3 interface.
  - 34. The data center of claim 33, further comprising a second L3 interface, wherein the second data-center tier and the third data-center tier are coupled via the second L3 interface.
  - 35. The data center of claim 34, further comprising one or more point-to-point links between switches of the second data-center tier and switches of the third data-center tier, wherein the second L3 interface includes one or more point-to-point links between switches of the second data-center tier and switches of the third data-center tier.
  - 36. The data center of claim 1, further comprising one or more partner networks coupled to the data center through the second routed firewall instance between the first data-center tier and the second data-center tier.
  - 40. The data center of claim 1, wherein the intrusion detection module is configured to:
    - receive a data stream;
      
      examine the data stream to determine a security risk from the data stream; and
      
      based upon determining the security risk, send a notice to a user interface that the data stream comprises the security risk.
  - 41. The data center of claim 1, wherein the electrical connection of the intrusion detection service module is directly connected to each of the second routed firewall instance, the second data-center tier internal core, and the third data-center tier internal core.
  - 42. The data center of claim 1, wherein the electrical connection of the intrusion detection service module is directly connected to the second data-center tier internal core and the third data-center tier internal core.

37. A method comprising:
- constructing a first data-center tier for electronically connecting to an external network and an internal portion of a data center, wherein the internal portion comprises;
  
  a second data-center tier comprising a second data-center tier internal core and an intrusion detection service module; and
  
  a third data-center tier comprising a third data-center tier internal core; and
  
  implementing a first routed firewall instance to interface the first data-center tier and the external network; and
  
  implementing a second routed firewall instance to interface the first data-center tier and the second data-center tier, wherein the second routed firewall instance facilitates data filtering and routing data between a plurality of virtual local area networks (VLANs) that are internal to the first data-center tier and a VLAN that interfaces the first data-center tier and the second data-center tier, and wherein the intrusion detection service module is electronically connected to the second routed firewall instance, the second data-center tier internal core, and the third data-center tier internal core.

38. A data center comprising:
- a first data-center tier for electronically connecting to an external network and an internal portion of a data center, wherein the internal portion comprises;
  
  a second data-center tier comprising a second data-center tier internal core and an intrusion detection service module; and
  
  a third data-center tier comprising an third data-center tier internal core;
  
  a first routed firewall instance to interface the first data-center tier and the external network; and
  
  means for implementing a second routed firewall instance to interface the first data-center tier and the second data-center tier, wherein the second routed firewall instance facilitates data filtering and routing data between a plurality of virtual local area networks (VLANs) that are internal to the first data-center tier and a VLAN that interfaces the first data-center tier and the second data-center tier, and wherein the intrusion detection service module is electronically connected to the second routed firewall instance, the second data-center tier internal core, and the third data-center tier internal core.
- View Dependent Claims (39)
- - 39. The data center of claim 38 further comprising a first L3 interface,wherein the first data-center tier and the second data-center tier are coupled via the first L3 interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Naseh, Zeeshan
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Le, David

Application Number

US11/345,186
Time in Patent Office

2,708 Days
Field of Search

726 11- 14
US Class Current

726/11
CPC Class Codes

H04L 63/0209 Architectural arrangements,...

H04L 67/2895 Intermediate processing fun...

Secure high-throughput data-center network employing routed firewalls

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

42 Claims

Specification

Use Cases

Quick Links

Others

Secure high-throughput data-center network employing routed firewalls

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

42 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others