Media access control address translation in virtualized environments

US 8,640,221 B2
Filed: 12/10/2010
Issued: 01/28/2014
Est. Priority Date: 12/11/2009
Status: Active Grant

First Claim

Patent Images

1. A method for transmitting network packets through a network security device, the method comprising:

receiving, with a network device, a network packet from a first computing device to be sent to a second computing device over a network comprising the network security device and first and second network switches, wherein the network packet comprises a first network interface identifier for identifying the first computing device on the network and a second network interface identifier for identifying the second computing device on the network;

identifying third and fourth network interface identifiers associated with the network device that, when the network packet is transmitted using the third and fourth network interface identifiers, cause the network packet to be transmitted through the network security device;

transmitting the network packet from the network device over the network through the network security device using the third and fourth network interface identifiers, wherein the network packet is transmitted through the first network switch before being transmitted through the network security device, and the network packet is transmitted through the second network switch after being transmitted through the network security device; and

after the network device receives the network packet back from the network security device through the second network switch, transmitting the network packet from the network device to the second computing device using the first and second network interface identifiers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided that transmits network packets through a network security device. The method receives a request to send a network packet from a first computing device to a second computing device over a network that includes the network security device. The network packet includes a first network interface identifier for identifying the first computing device and a second network interface identifier for identifying the second computing device. The method identifies third and fourth network interface identifiers that cause the network packet to be transmitted through the network security device when the network packet is transmitted using the third and fourth network interface identifiers. The method transmits the network packet over the network through the network security device using the third and fourth network interface identifiers. The method transmits the network packet to the second computing device using the first and second network interface identifiers.

35 Citations

View as Search Results

32 Claims

1. A method for transmitting network packets through a network security device, the method comprising:
- receiving, with a network device, a network packet from a first computing device to be sent to a second computing device over a network comprising the network security device and first and second network switches, wherein the network packet comprises a first network interface identifier for identifying the first computing device on the network and a second network interface identifier for identifying the second computing device on the network;
  
  identifying third and fourth network interface identifiers associated with the network device that, when the network packet is transmitted using the third and fourth network interface identifiers, cause the network packet to be transmitted through the network security device;
  
  transmitting the network packet from the network device over the network through the network security device using the third and fourth network interface identifiers, wherein the network packet is transmitted through the first network switch before being transmitted through the network security device, and the network packet is transmitted through the second network switch after being transmitted through the network security device; and
  
  after the network device receives the network packet back from the network security device through the second network switch, transmitting the network packet from the network device to the second computing device using the first and second network interface identifiers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 further comprising, before transmitting the network packet to the second computing device, receiving, with the network device, the network packet from the network security device through the second network switch using the third and fourth network interface identifiers.
  - 3. The method of claim 1, wherein the network security device is an intrusion prevention system (IPS) device.
  - 4. The method of claim 1, wherein the first network interface identifier is a first media access control (MAC) address and the second network interface identifier is a second MAC address different from the first MAC address.
  - 5. The method of claim 4, wherein the third network interface identifier is a third MAC address different from the first and second MAC addresses and the fourth network interface identifier is a fourth MAC address different from the first, second, and third MAC addresses.
  - 6. The method of claim 1, wherein identifying the third and fourth network interface identifiers comprises:
    - replacing the first network interface identifier in the network packet with the third network interface identifier; and
      
      replacing the second network interface identifier in the network packet with the fourth network interface identifier.
  - 7. The method of claim 6 further comprising, before transmitting the network packet to the second computing device:
    - replacing the third network interface identifier in the network packet with the first network interface identifier; and
      
      replacing the fourth network interface identifier in the network packet with the second network interface identifier.
  - 8. The method of claim 1, wherein the network packet bypasses the network security device when the network packet is transmitted to the second computing device using the first and second network interface identifiers.
  - 9. The method of claim 1, wherein the first and second computing devices are virtual computing devices.
  - 10. The method of claim 1, wherein the first and second computing devices are physical computers.
  - 11. The method of claim 1, wherein the receiving, identifying, transmitting the network packet from the network device through the network security device and transmitting the network packet from the network device to the second computing device are performed by a firewall on the network device.
  - 12. The method of claim 11, wherein the firewall is a virtual firewall running on a virtual server that hosts at least one of the first and second computing devices.
  - 13. The method of claim 11, wherein the network device comprises a physical network switch that includes the firewall.
  - 14. The method of claim 1, wherein the network packet is received from the first computing device.

15. A method for transmitting network packets through a network security device, the method comprising:
- receiving, with a first network device, a network packet from a first computing device to be sent to a second computing device over a network comprising the network security device and first and second network switches, the network packet comprising a first network interface identifier for identifying the first computing device on the network and a second interface identifier for identifying the second computing device on the network;
  
  sending, from the first network device, a request for a third network interface identifier and a fourth network interface identifier, wherein the third and fourth network interface identifiers are associated with the first network device;
  
  modifying, with the first network device, the network packet to use the third and fourth network interface identifiers when the network packet is transmitted over the network;
  
  transmitting the network packet from the first network device over the network through the network security device using the third and fourth network interface identifiers, wherein the network packet is transmitted through the first network switch before being transmitted through the network security device, and the network packet is transmitted through the second network switch to the first network device after being transmitted through the network security device; and
  
  transmitting the network packet from the first network device to the second computing device using the first and second network interface identifiers.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The method of claim 15, wherein the request is sent to a network interface identifier manager that manages a plurality of different network interface identifiers for a plurality of different computing devices.
  - 17. The method of claim 15, wherein the network packet is received from the first computing device.
  - 18. The method of claim 15, wherein the network security device is an intrusion prevention system (IPS) device.
  - 19. The method of claim 15, wherein the first network interface identifier is a first media access control (MAC) address and the second network interface identifier is a second MAC address different from the first MAC address.
  - 20. The method of claim 19, wherein the third network interface identifier is a third MAC address different from the first and second MAC addresses and the fourth network interface identifier is a fourth MAC address different from the first, second, and third MAC addresses.
  - 21. The method of claim 15, wherein modifying the network packet comprises:
    - replacing the first network interface identifier in the network packet with the third network interface identifier; and
      
      replacing the second network interface identifier in the network packet with the fourth network interface identifier.
  - 22. The method of claim 15, wherein the first and second computing devices are virtual computing devices.
  - 23. The method of claim 15, wherein the first and second computing devices are physical computers.
  - 24. The method of claim 15, wherein the receiving, sending, modifying, transmitting the network packet from the first network device over the network through the network security device and transmitting the network packet from the first network device to the second computing device are performed by a firewall on the first network device.
  - 25. The method of claim 24, wherein the firewall is a virtual firewall on a virtual server that hosts at least one of the first and second computing devices.
  - 26. The method of claim 24, wherein the first network device comprises a physical network switch that includes the firewall.

27. A method for communicating network packets through a network security device that is part of a network comprising first and second firewalls, first and second switching devices, and a plurality of computing devices, each switching device coupled to the first and second firewalls and the network security device, the method comprising:
- at the first firewall, receiving a network packet from a first computing device coupled to the first firewall to be sent to a second computing device coupled to the second firewall, wherein the network packet comprises a first network interface identifier for identifying the first computer on the network and a second network interface identifier for identifying the second computer on the network;
  
  at the first firewall, performing a first modification to the network packet by replacing the first network interface identifier with a third network interface identifier and replacing the second network interface identifier with a fourth network interface identifier, wherein the third and fourth network interface identifiers are associated with the first firewall;
  
  from the first firewall, transmitting the first modified network packet to the first switching device, wherein the first switching device forwards the first modified network packet through the network security device to the second switching device, wherein the second switching device forwards the first modified network packet to the first firewall;
  
  at the first firewall, performing a second modification to the first modified network packet by replacing the third network interface identifier with the first network interface identifier and replacing the fourth network interface identifier with the second network interface identifier; and
  
  from the first firewall, transmitting the second modified network packet to the second computing device through the first switching device.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The method of claim 27, wherein the first switching device further forwards the first modified network packet to the second firewall when the first switching device receives the first modified network packet.
  - 29. The method of claim 28 further comprising, at the second firewall, dropping the first modified network packet based on the third and fourth network interface identifiers associated with the first firewall when the second firewall receives the first modified network packet from the first switching device.
  - 30. The method of claim 27, wherein the second switching device further forwards the first modified network packet to the second firewall when the second switching device receives the first modified network packet.
  - 31. The method of claim 30 further comprising, at the second firewall, dropping the first modified network packet based on the third and fourth network interface identifiers associated with the first firewall when the second firewall receives the first modified network packet transmitted from the second switching device.
  - 32. The method of claim 27, wherein the network packet is a first network packet, the method further comprising:
    - at the second firewall, receiving a second network packet from the second computing device to be sent to the first computing device in response to the first network packet, wherein the second network packet comprises the first network interface identifier and the second network interface identifier;
      
      at the second firewall, performing a first modification to the second network packet by replacing the first network interface identifier with a fifth network interface identifier and replacing the second network interface identifier with a sixth network interface identifier, wherein the fifth and sixth network interface identifiers are associated with the second firewall;
      
      from the second firewall, transmitting the first modified second network packet to the second switching device, wherein the second switching device forwards the first modified second network packet only through the network security device to the first switching device, wherein the first switching device forwards the first modified second network packet only to the second firewall;
      
      at the second firewall, performing a second modification to the first modified second network packet by replacing the fifth network interface identifier with the first network interface identifier and replacing the sixth network interface identifier with the second network interface identifier; and
      
      from the second firewall, transmitting the second modified second network packet to the first computing device through the second switching device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Litvin, Moshe
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Shepperd, Eric W

Application Number

US12/965,802
Publication Number

US 20110145912A1
Time in Patent Office

1,145 Days
Field of Search

726 2- 3, 726 11- 13, 726/15, 726 22- 23, 726 26- 27, 726 29- 30, 709217-218, 709223-225, 709/238, 709/246, 709/249, 370/351, 370/389, 370/392, 370400-401
US Class Current

726/13
CPC Class Codes

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 45/72   Routing based on the source...

H04L 61/2596   Translation of addresses of...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0272   Virtual private networks

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Media access control address translation in virtualized environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Media access control address translation in virtualized environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others