Distributed multi-processing security gateway

US 8,914,871 B1
Filed: 05/01/2013
Issued: 12/16/2014
Est. Priority Date: 08/08/2006
Status: Active Grant

First Claim

Patent Images

1. A distributed network system, comprising:

a plurality of processing modules, wherein each processing module comprises a multi-core processor, the multi-core processor of each of the plurality of processing modules comprising a plurality of processing cores;

a selecting module for selecting a network address, the network address selected such that a calculated first processing module identity of a first processing module of the plurality of processing modules is the same as a calculated second processing module identity of a second processing module of the plurality of processing modules, and for selectively establishing a server side session with a server using the selected network address; and

a dispatching module for;

receiving a first data packet from a host side session, calculating the first processing module identity using the first data packet, and assigning the first processing module with the first processing module identity to process the first data packet, wherein the processing of the first data packet by the first processing module comprises;

substituting a host network address in the first data packet with the selected network address, andsending the processed first data packet to the server side session; and

receiving a second data packet from the server side session, calculating the second processing module identity using the selected network address in the second data packet, and assigning the second processing module with the second processing module identity to process the second data packet, wherein the processing of the second data packet by the second processing module comprises;

substituting the selected network address in the second data packet with the host network address, andsending the processed second data packet to the host side session.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Citations

38 Claims

1. A distributed network system, comprising:
- a plurality of processing modules, wherein each processing module comprises a multi-core processor, the multi-core processor of each of the plurality of processing modules comprising a plurality of processing cores;
  
  a selecting module for selecting a network address, the network address selected such that a calculated first processing module identity of a first processing module of the plurality of processing modules is the same as a calculated second processing module identity of a second processing module of the plurality of processing modules, and for selectively establishing a server side session with a server using the selected network address; and
  
  a dispatching module for;
  
  receiving a first data packet from a host side session, calculating the first processing module identity using the first data packet, and assigning the first processing module with the first processing module identity to process the first data packet, wherein the processing of the first data packet by the first processing module comprises;
  
  substituting a host network address in the first data packet with the selected network address, andsending the processed first data packet to the server side session; and
  
  receiving a second data packet from the server side session, calculating the second processing module identity using the selected network address in the second data packet, and assigning the second processing module with the second processing module identity to process the second data packet, wherein the processing of the second data packet by the second processing module comprises;
  
  substituting the selected network address in the second data packet with the host network address, andsending the processed second data packet to the host side session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system of claim 1, wherein the selecting a network address comprises a calculation based on a network address of the host.
  - 3. The system of claim 2, wherein the calculation further includes applying a hashing function to the network address of the host.
  - 4. The system of claim 1, wherein the calculation is further based on a network address of the distributed network system.
  - 5. The system of claim 1, wherein the first processing module identity comprises a first processor core identity of a first processor core of the multi-core processor of the first processing module, and the second processing module identity further comprises a second processor core identity of a second processor core of the multi-core processor of the second processing module.
  - 6. The system of claim 1 further comprising:
    - a memory module comprising a plurality of network addresses, wherein selecting a network address comprises selecting a network address from the plurality of network addresses in the memory module.
  - 7. The system of claim 6, wherein the memory module is a shared memory module.
  - 8. The system of claim 1, wherein the calculating the first processing module identity by the dispatching module is based on one or more network addresses of the first data packet.
  - 9. The system of claim 8, wherein the one or more network addresses of the first data packet comprise one or more IP addresses of the first data packet.
  - 10. The system of claim 8, wherein the one or more network addresses of the first data packet further comprise one or more transport layer addresses of the first data packet.
  - 11. The system of claim 1, wherein the calculating the second processing module identity by the dispatching module is based on one or more network addresses of the second data packet.
  - 12. The system of claim 11, wherein the one or more network addresses of the second data packet comprise one or more IP addresses of the second data packet.
  - 13. The system of claim 11, wherein the one or more network addresses of the second data packet further comprise one or more transport layer addresses of the second data packet.
  - 14. The system of claim 1, wherein processing the first data packet by the first processing module further comprises processing the first data packet according to a security policy.
  - 15. The system of claim 14, wherein the security policy comprises at least one of:
    - content filtering;
      
      virus detection and infestation prevention;
      
      spyware or phishing blocking;
      
      network intrusion or denial of service prevention;
      
      lawful interception;
      
      data traffic monitoring;
      
      or data traffic interception.
  - 16. The system of claim 1, wherein processing the second data packet by the second processing module further comprises processing according to a security policy.
  - 17. The system of claim 16, wherein the security policy comprises at least one of:
    - content filtering;
      
      virus detection and infestation prevention;
      
      spyware or phishing blocking;
      
      network intrusion or denial of service prevention;
      
      lawful interception;
      
      data traffic monitoring;
      
      or data traffic interception.
  - 18. The system of claim 1, wherein the selected network address comprises an IP address.
  - 19. The system of claim 1, wherein the selected network address further comprises a TCP or UDP port number.

20. A method for a distributed network system comprising a plurality of processing modules having a multi-core processor, the multi-core processor of each of the plurality of processing modules comprising a plurality of processing cores, the method comprising:
- selecting, via a selecting module, a network address, the network address selected such that a calculated first processing module identity of a first processing module of the plurality of processing modules is the same as a calculated second processing module identity of a second processing module of the plurality of processing modules;
  
  selectively establishing, via a selecting module, a server side session with a server using the selected network address;
  
  calculating, via a dispatching module, the first processing module identity using a received first data packet from a host side session, and assigning the first processing module with the first processing module identity to process the first data packet, wherein the processing of the first data packet by the first processing module comprises;
  
  substituting a host network address in the first data packet with the selected network address, andsending the processed first data packet to the server side session; and
  
  calculating, via a dispatching module, the second processing module identity using the selected network address in a second data packet, and assigning the second processing module with the second processing module identity to process the second data packet, wherein the processing of the second data packet by the second processing module comprises;
  
  substituting the selected network address in the second data packet with the host network address, andsending the processed second data packet to the host side session.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 21. The method of claim 20, wherein the selecting a network address comprises a calculation based on a network address of the host.
  - 22. The method of claim 21, wherein the calculation further includes applying a hashing function to the network address of the host.
  - 23. The method of claim 20, wherein the calculation is further based on a network address of the distributed network system.
  - 24. The method of claim 20, wherein the first processing module identity comprises a first processor core identity of a first processor core of the multi-core processor of the first processing module, and the second processing module identity further comprises a second processor core identity of a second processor core of the multi-core processor of the second processing module.
  - 25. The method of claim 20, wherein the selecting a network address further comprises:
    - selecting a network address from a plurality of network addresses in a memory module.
  - 26. The method of claim 25, wherein the memory module is a shared memory module.
  - 27. The method of claim 20, wherein the calculating the first processing module identity by the dispatching module is based on one or more network addresses of the first data packet.
  - 28. The method of claim 27, wherein the one or more network addresses of the first data packet comprise one or more IP addresses of the first data packet.
  - 29. The method of claim 27, wherein the one or more network addresses of the first data packet further comprise one or more transport layer addresses of the first data packet.
  - 30. The method of claim 20, wherein the calculating the second processing module identity by the dispatching module is based on one or more network addresses of the second data packet.
  - 31. The method of claim 30, wherein the one or more network addresses of the second data packet comprise one or more IP addresses of the second data packet.
  - 32. The method of claim 30, wherein the one or more network addresses of the second data packet further comprise one or more transport layer addresses of the second data packet.
  - 33. The method of claim 20, wherein processing the first data packet by the first processing module further comprises processing the first data packet according to a security policy.
  - 34. The method of claim 33, wherein the security policy comprises at least one of:
    - content filtering;
      
      virus detection and infestation prevention;
      
      spyware or phishing blocking;
      
      network intrusion or denial of service prevention;
      
      lawful interception;
      
      data traffic monitoring;
      
      or data traffic interception.
  - 35. The method of claim 20, wherein processing the second data packet by the second processing module further comprises processing according to a security policy.
  - 36. The method of claim 35, wherein the security policy comprises at least one of:
    - content filtering;
      
      virus detection and infestation prevention;
      
      spyware or phishing blocking;
      
      network intrusion or denial of service prevention;
      
      lawful interception;
      
      data traffic monitoring;
      
      or data traffic interception.
  - 37. The method of claim 20, wherein the selected network address comprises an IP address.
  - 38. The method of claim 20, wherein the selected network address further comprises a TCP or UDP port number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Szeto, Ronald Wai Lun
Primary Examiner(s)
Mehedi, Morshed

Application Number

US13/875,184
Time in Patent Office

594 Days
Field of Search

726/12
US Class Current

726/12
CPC Class Codes

H04L 61/2539   Hiding addresses; Keeping a...

H04L 61/2557   Translation policies or rules

H04L 63/0209   Architectural arrangements,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/20   for managing network securi...

H04L 65/1069   Session establishment or de...

Distributed multi-processing security gateway

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed multi-processing security gateway

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links