Security processing in active security devices

US 8,769,664 B1
Filed: 01/30/2009
Issued: 07/01/2014
Est. Priority Date: 01/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method for processing packets at a first security device, the method comprising:

receiving a packet at the first security device;

determining whether the packet is associated with a previously assigned flow;

in the event that the packet is not associated with the previously assigned flow;

storing a new flow relating to the packet in the first security device; and

notifying a distinct second security device that the new flow is stored in the first security device;

in the event that the packet is associated with the previously assigned flow;

determining whether the packet is associated with a flow assigned to the distinct second security device;

in the event that the packet is determined to be associated with the flow assigned to the distinct second security device;

sending the packet to the distinct second security device;

after the distinct second security device performs security processing using the packet, receiving from the distinct second security device a message regarding the packet; and

transmitting the packet;

in the event that the packet is not associated with the flow assigned to the distinct second security device, classifying, using the first security device, a second flow according to an application associated with the second flow, the packet being associated with the second flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer program products, featuring receiving at a first security device a packet. The first security device determines that the packet is associated with a flow assigned to a distinct second security device. The first security device sends the packet to the second security device. After the second security device performs security processing using the packet, the first security device receives from the second security device a message regarding the packet. The first security device transmits the packet.

39 Citations

View as Search Results

32 Claims

1. A method for processing packets at a first security device, the method comprising:
- receiving a packet at the first security device;
  
  determining whether the packet is associated with a previously assigned flow;
  
  in the event that the packet is not associated with the previously assigned flow;
  
  storing a new flow relating to the packet in the first security device; and
  
  notifying a distinct second security device that the new flow is stored in the first security device;
  
  in the event that the packet is associated with the previously assigned flow;
  
  determining whether the packet is associated with a flow assigned to the distinct second security device;
  
  in the event that the packet is determined to be associated with the flow assigned to the distinct second security device;
  
  sending the packet to the distinct second security device;
  
  after the distinct second security device performs security processing using the packet, receiving from the distinct second security device a message regarding the packet; and
  
  transmitting the packet;
  
  in the event that the packet is not associated with the flow assigned to the distinct second security device, classifying, using the first security device, a second flow according to an application associated with the second flow, the packet being associated with the second flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 32)
- - 2. The method of claim 1, where:
    - the message comprises the packet.
  - 3. The method of claim 1, where:
    - the packet is one of;
      
      an Internet Protocol (IP) packet, a Transmission Control Protocol (TCP) segment, and a User Datagram Protocol (UDP) datagram.
  - 4. The method of claim 1, where:
    - the first and second security devices are each a combination of one or more of;
      
      a firewall, a router, a switch, an Intrusion Detection System (IDS), and an Intrusion Protection System (IPS); and
      
      security processing includes one or more of;
      
      determining whether to drop or allow the packet, logging or storing the packet, setting an alarm, detecting viruses, detecting spyware, Uniform Resource Locator (URL) filtering, and Data Leakage Prevention (DLP).
  - 5. The method of claim 1, where:
    - receiving a packet comprises receiving a packet having been transmitted on a first route; and
      
      transmitting the packet comprises transmitting the packet so that it continues along the first route.
  - 6. The method of claim 1, where:
    - the packet is a response to an outbound packet associated with the flow;
      
      the second security device performed security processing on the outbound packet; and
      
      the second security device notified the first security device that the flow was assigned to the second security device.
  - 7. The method of claim 6, where:
    - the outbound packet was sent from a client to a server through the second security device; and
      
      the packet was sent from the server to the first security device, where the packet is destined for the client.
  - 8. The method of claim 1, where determining that the packet is associated with a flow assigned to a second security device includes:
    - identifying state information associated with the packet; and
      
      determining whether the state information associated with the packet is included in a flow table.
  - 9. The method of claim 1, further comprising:
    - receiving an additional packet;
      
      determining that the additional packet is not associated with a flow;
      
      associating the additional packet with a new session;
      
      evaluating the new session to determine if received packets associated with the new session should be allowed;
      
      if received packets associated with the new session should be allowed, creating a new flow record in a flow table; and
      
      notifying one or more other security devices that a new flow associated with the additional packet is assigned to the first security device.
  - 10. The method of claim 1, wherein classifying the second flow according to the application associated with the second flow comprises:
    - determining whether the second flow has been classified;
      
      in the event that the second flow has not been classified, attempting to classify the second flow according to the application associated with the second flow;
      
      in the event that attempting to classify the second flow is unsuccessful, storing a copy of the additional packet locally; and
      
      performing security processing on the additional packet.
  - 32. The method of claim 1, wherein the notifying of the distinct second security device includes sending a message including state information relating to the new flow to the distinct second security device.

11. A computer program product, encoded on a non-transitory computer-readable medium, comprising computer instructions that when executed cause a first security device to perform operations comprising:
- receiving a packet at the first security device;
  
  determining whether the packet is associated with a previously assigned flow;
  
  in the event that the packet is not associated with the previously assigned flow;
  
  storing a new flow relating to the packet in the first security device; and
  
  notifying a distinct second security device that the new flow is stored in the first security device;
  
  in the event that the packet is associated with the previously assigned flow;
  
  determining whether the packet is associated with a flow assigned to the distinct second security device;
  
  in the event that the packet is determined to be associated with the flow assigned to the distinct second security device;
  
  sending the packet to the distinct second security device;
  
  after the distinct second security device performs security processing using the packet, receiving from the distinct second security device a message regarding the packet; and
  
  transmitting the packet;
  
  in the event that the packet is not associated with the flow assigned to the distinct second security device, classifying a second flow according to an application associated with the second flow, the packet being associated with the second flow.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer program product of claim 11, where:
    - the message comprises the packet.
  - 13. The computer program product of claim 11, where:
    - the packet is one of;
      
      an Internet Protocol (IP) packet, a Transmission Control Protocol (TCP) segment, and a User Datagram Protocol (UDP) datagram.
  - 14. The computer program product of claim 11, where:
    - the first and second security devices are each a combination of one or more of;
      
      a firewall, a router, a switch, an Intrusion Detection System (IDS), and an Intrusion Protection System (IPS); and
      
      security processing includes one or more of;
      
      determining whether to drop or allow the packet, logging or storing the packet, setting an alarm, detecting viruses, detecting spyware, Uniform Resource Locator (URL) filtering, and Data Leakage Prevention (DLP).
  - 15. The computer program product of claim 11, where:
    - receiving a packet comprises receiving a packet having been transmitted on a first route; and
      
      transmitting the packet comprises transmitting the packet so that it continues along the first route.
  - 16. The computer program product of claim 11, where:
    - the packet is a response to an outbound packet associated with the flow;
      
      the second security device performed security processing on the outbound packet; and
      
      the second security device notified the first security device that the flow was assigned to the second security device.
  - 17. The computer program product of claim 16, where:
    - the outbound packet was sent from a client to a server through the second security device; and
      
      the packet was sent from the server to the first security device, where the packet is destined for the client.
  - 18. The computer program product of claim 11, where determining that the packet is associated with a flow assigned to a second security device includes:
    - identifying state information associated with the packet; and
      
      determining whether the state information associated with the packet is included in a flow table.
  - 19. The computer program product of claim 11, the operations further comprising:
    - receiving an additional packet;
      
      determining that the additional packet is not associated with a flow;
      
      associating the additional packet with a new session;
      
      evaluating the new session to determine if received packets associated with the new session should be allowed;
      
      if received packets associated with the new session should be allowed, creating a new flow record in a flow table; and
      
      notifying one or more other security devices that a new flow associated with the additional packet is assigned to the first security device.
  - 20. The computer program product of claim 11, wherein classifying the second flow according to the application associated with the second flow comprises:
    - determining whether the second flow has been classified;
      
      in the event that the second flow has not been classified, attempting to classify the second flow according to the application associated with the flow;
      
      in the event that attempting to classify the second flow is unsuccessful, storing a copy of the additional packet locally; and
      
      performing security processing on the additional packet.

21. A system comprising:
- a first security device comprising one or more processors and one or more network interfaces;
  
  where the first security device has encoded on a computer-readable medium instructions operable to cause one or more of the processors of the first security device to perform operations comprising;
  
  receiving a packet at the first security device using one of the network interfaces;
  
  determining whether the packet is associated with a previously assigned flow;
  
  in the event that the packet is not associated with the previously assigned flow;
  
  storing a new flow relating to the packet in the first security device; and
  
  notifying a distinct second security device that the new flow is stored in the first security device;
  
  in the event that the packet is associated with the previously assigned flow;
  
  determining whether the packet is associated with a flow assigned to the distinct second security device;
  
  in the event that the packet is determined to be associated with the flow assigned to the distinct second security device;
  
  sending the packet to the distinct second security device;
  
  after the distinct second security device performs security processing using the packet, receiving from the distinct second security device a message regarding the packet; and
  
  transmitting the packet using one of the network interfaces;
  
  in the event that the packet is not associated with the flow assigned to the distinct second security device, classifying a second flow according to an application associated with the second flow, the packet being associated with the second flow.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 22. The system of claim 21, where:
    - the message comprises the packet.
  - 23. The system of claim 21, where:
    - the packet is one of;
      
      an Internet Protocol (IP) packet, a Transmission Control Protocol (TCP) segment, and a User Datagram Protocol (UDP) datagram.
  - 24. The system of claim 21, where:
    - the first and second security devices are each a combination of one or more of;
      
      a firewall, a router, a switch, an Intrusion Detection System (IDS), and an Intrusion Protection System (IPS); and
      
      security processing includes one or more of;
      
      determining whether to drop or allow the packet, logging or storing the packet, setting an alarm, detecting viruses, detecting spyware, Uniform Resource Locator (URL) filtering, and Data Leakage Prevention (DLP).
  - 25. The system of claim 21, where:
    - receiving a packet comprises receiving a packet having been transmitted on a first route; and
      
      transmitting the packet comprises transmitting the packet so that it continues along the first route.
  - 26. The system of claim 21, where:
    - the packet is a response to an outbound packet associated with the flow;
      
      the second security device performed security processing on the outbound packet; and
      
      the second security device notified the first security device that the flow was assigned to the second security device.
  - 27. The system of claim 26, where:
    - the outbound packet was sent from a client to a server through the second security device; and
      
      the packet was sent from the server to the first security device, where the packet is destined for the client.
  - 28. The system of claim 21, where determining that the packet is associated with a flow assigned to a second security device includes:
    - identifying state information associated with the packet; and
      
      determining whether the state information associated with the packet is included in a flow table.
  - 29. The system of claim 21, the operations further comprising:
    - receiving an additional packet;
      
      determining that the additional packet is not associated with a flow;
      
      associating the additional packet with a new session;
      
      evaluating the new session to determine if received packets associated with the new session should be allowed;
      
      if received packets associated with the new session should be allowed, creating a new flow record in a flow table; and
      
      notifying one or more other security devices that a new flow associated with the additional packet is assigned to the first security device.
  - 30. The system of claim 21, wherein classifying the second flow according to an application associated with the second flow comprises:
    - determining whether the second flow has been classified;
      
      in the event that the second flow has not been classified, attempting to classify the second flow according to an application associated with the second flow;
      
      in the event that attempting to classify the second flow is unsuccessful, storing a copy of the additional packet locally; and
      
      performing security processing on the additional packet.
  - 31. The system of claim 21, further comprising the second security device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Zuk, Nir, Mao, Yuming, Xu, Wilson
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US12/363,102
Time in Patent Office

1,978 Days
Field of Search

726/13, 726/23, 713/151, 713/153
US Class Current

726/13
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/0236 Filtering by address, proto...

Security processing in active security devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Security processing in active security devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links