Network security device and method

US 8,654,779 B1
Filed: 11/22/2011
Issued: 02/18/2014
Est. Priority Date: 03/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a network device, a data packet;

determining, by the network device, whether the data packet is a first data packet in a session;

transmitting, by the network device, the data packet to;

one or more first board components, of the network device, when the data packet is the first data packet in the session, orone or more second board components, of the network device, and not to the one or more first board components when the data packet is not the first data packet in the session,the one or more second board components being different than the one or more first board components; and

processing the transmitted data packet by at least one of;

the one or more first board components, orthe one or more second board components.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, implementing and using techniques for processing a data packet. An input port receives a data packet, a switching board classifies the data packet, determines whether the data packet should be accepted, and switches the data packet to a management board if the data packet is a first data packet in a session, and to a processing board if the data packet is not a first data packet in a session. A management board receives a data packet from the switching board, examines the data packet and forwards the data packet to one of the processing boards. One or more processing boards receives non-first data packets from the switching board and data packets from the management board and processes the data packets. A firewall and a secure gateway with firewall and virtual private network functionality for processing a data packet are also described.

Citations

20 Claims

1. A method comprising:
- receiving, by a network device, a data packet;
  
  determining, by the network device, whether the data packet is a first data packet in a session;
  
  transmitting, by the network device, the data packet to;
  
  one or more first board components, of the network device, when the data packet is the first data packet in the session, orone or more second board components, of the network device, and not to the one or more first board components when the data packet is not the first data packet in the session,the one or more second board components being different than the one or more first board components; and
  
  processing the transmitted data packet by at least one of;
  
  the one or more first board components, orthe one or more second board components.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, where the one or more first board components are included on a management board of the network device, andwhere the one or more second board components are included on a processing board, of the network device, that is different than the management board.
  - 3. The method of claim 2, where transmitting the data packet includes transmitting the data packet by a switching board of the network device,the switching board, the management board, and the processing board being included in a single chassis box.
  - 4. The method of claim 1, further comprising:
    - determining that the data packet is the first data packet in the session;
      
      obtaining layer information from the data packet based on determining that the data packet is the first data packet in the session; and
      
      determining, using the layer information, whether information relating to the session is stored in a session data structure of the network device.
  - 5. The method of claim 4, further comprising:
    - transmitting the data packet to the one or more first board components when no information relating to the session is stored in the session data structure.
  - 6. The method of claim 4, further comprising:
    - determining whether the data packet is a first fragment of a fragmented packet when information relating to the session is stored in the session data structure;
      
      storing the layer information and information associated with a first plurality of second board components of the network device with the information relating to the session, when the data packet is a first fragment of a fragmented packet; and
      
      transmitting the data packet to a second plurality of second board components of the network device, when the data packet is not a first fragment of a fragmented packet,the second plurality of second board components being identified by the information relating to the session.
  - 7. The method of claim 1, further comprising:
    - processing the data packet by the one or more first board components,where processing the data packet by the one or more first board components includes;
      
      determining whether the data packet is associated with one or more network attacks; and
      
      dropping the data packet when the data packet is associated with the one or more network attacks.

8. A device comprising:
- one or more switching components;
  
  one or more management components; and
  
  one or more processing components,the one or more switching components to;
  
  receive a data packet,determine whether the data packet is a first data packet in a session, and transmit the data packet to;
  
  the one or more management components when the data packet is the first data packet in the session, orthe one or more processing components and not the one or more management components, when the data packet is not the first data packet in the session,the one or more management components to process the data packet when the data packet is transmitted to the one or more management components, andthe one or more processing components to process the data packet when the data packet is transmitted to the one or more processing components.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The device of claim 8, where the one or more switching components are to transmit the data packet to the one or more processing components,the one or more processing components processing the data packet when the data packet is transmitted to the one or more processing components,when processing the data packet, the one or more processing components are to:
    - determine whether the data packet is associated with one or more network attacks; and
      
      drop the data packet when the data packet is associated with the one or more network attacks.
  - 10. The device of claim 8, where the one or more switching components are included on a switching board of the device,where the one or more management components are included on a management board of the device, andwhere the one or more processing components are included on a processing board of the device,the switching board, the management board, and the processing board being different from one another.
  - 11. The device of claim 8, where the switching board, the management board, and the processing board are included in a single chassis box.
  - 12. The device of claim 8, where the one or more switching components are to transmit the data packet to the one or more management components,the one or more management components processing the data packet,when processing the data packet, the one or more management components are to create a session when the data packet is the first data packet in the session.
  - 13. The device of claim 8, where the one or more switching components are further to transmit the data packet to another device after the data packet has been processed by the one or more management components or the one or more processing components.

14. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- a plurality of instructions which, when executed by a device, cause the device to;
  
  receive a data packet;
  
  determine whether the data packet is a first data packet in a session;
  
  transmit the data packet to;
  
  one or more management components, of the device, when the data packet is the first data packet in the session, orone or more processing components, of the device, and not the one or more management components when the data packet is not the first data packet in the session,the one or more processing components being different than the one or more management components; and
  
  process the data packet by at least one of;
  
  the one or more management components, orthe one or more processing components.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable medium of claim 14, where the instructions further comprise:
    - one or more instructions to determine whether the data packet is intended for a system associated with the device;
      
      one or more instructions to drop the data packet when the data packet is not intended for the system; and
      
      one or more instructions to process the data packet when the data packet is intended for the system.
  - 16. The non-transitory computer-readable medium of claim 15, where the one or more instructions to process the data packet when the data packet is intended for the system include:
    - one or more instructions to create a session when the data packet is the first data packet in the session.
  - 17. The non-transitory computer-readable medium of claim 15, where the data packet is transmitted to the one or more management components or to the one or more management components by a switching board of the device,where the one or more management components are included on a management board of the device, andwhere the one or more processing components are included on a processing board of the device,the switching board, the management board, and the processing board being different from one another.
  - 18. The non-transitory computer-readable medium of claim 15, where the one or more instructions to process the data packet when the data packet is intended for the system include:
    - one or more instructions to determine whether the data packet is associated with one or more network attacks; and
      
      one or more instructions to drop the data packet when the data packet is associated with the one or more network attacks.
  - 19. The non-transitory computer-readable medium of claim 14, where the instructions further comprise one or more instructions to:
    - determine that the data packet is a first data packet in a session;
      
      determine, using information from the data packet, whether information relating to the session is stored in a session data structure of the device,the information from the data packet including layer 2 information and layer 3 information;
      
      transmit the data packet to the one or more management components when no information relating to the session is stored in the session data structure;
      
      determine whether the data packet is a first fragment of a fragmented packet, when information relating to the session is stored in the session data structure;
      
      store the information from the data packet and information associated with a first plurality of processing components of the device with the information relating to the session, when the data packet is a first fragment of a fragmented packet; and
      
      transmit the data packet to a second plurality of processing components of the device, when the data packet is not a first fragment of a fragmented packet,the second plurality of processing components being identified by the information relating to the session.
  - 20. The non-transitory computer-readable medium of claim 14, where the instructions further comprise one or more instructions to:
    - identify a protocol associated with the data packet; and
      
      determine whether the data packet is a first data packet in a session based on identifying the protocol associated with the data packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Ke, Yan, Mao, Yuming, Tong, Jian, Huang, Guangsong
Primary Examiner(s)
Pham, Brenda H

Application Number

US13/302,808
Time in Patent Office

819 Days
Field of Search

370/389, 370/230, 370/360, 370/396, 370/401, 370/402, 370/474, 370/471, 370/473, 370/368, 370/398, 370/395.31, 370/419
US Class Current

370/401
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/1416   Event detection, e.g. attac...

Network security device and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network security device and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links